Edit tour

Windows Analysis Report
plugin-newest_release_.exe

Overview

General Information

Sample name:plugin-newest_release_.exe
Analysis ID:1632176
MD5:55708f430c572fffe83624c57fcbe657
SHA1:f5ce9f6ac27e11df7142c7ce88697836388d7341
SHA256:977f445d047b424892794025f0306a7d1c6e0600c590ebc029b210692b6f5383
Tags:exeuser-aachum
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Connects to a URL shortener service
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • plugin-newest_release_.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\plugin-newest_release_.exe" MD5: 55708F430C572FFFE83624C57FCBE657)
    • plugin-newest_release_.tmp (PID: 6920 cmdline: "C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp" /SL5="$103DE,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" MD5: BE3CC5717F5951662ADB399D613F20CC)
      • plugin-newest_release_.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp- MD5: 55708F430C572FFFE83624C57FCBE657)
        • plugin-newest_release_.tmp (PID: 6256 cmdline: "C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp" /SL5="$403F4,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp- MD5: BE3CC5717F5951662ADB399D613F20CC)
          • idp.exe (PID: 5516 cmdline: "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d MD5: 6482EE0F372469D1190C74BD70D76153)
            • conhost.exe (PID: 4328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-07T20:25:55.616045+010020283713Unknown Traffic192.168.2.849686104.17.112.233443TCP
2025-03-07T20:25:59.489617+010020283713Unknown Traffic192.168.2.849687164.132.58.105443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: plugin-newest_release_.exeVirustotal: Detection: 29%Perma Link
Source: plugin-newest_release_.exeReversingLabs: Detection: 15%
Source: plugin-newest_release_.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknownHTTPS traffic detected: 104.17.112.233:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: plugin-newest_release_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: idp.dll.1.dr, idp.dll.4.dr
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: Joe Sandbox ViewIP Address: 164.132.58.105 164.132.58.105
Source: Joe Sandbox ViewIP Address: 104.17.112.233 104.17.112.233
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49687 -> 164.132.58.105:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49686 -> 104.17.112.233:443
Source: global trafficHTTP traffic detected: GET /3ann877w HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: tinyurl.com
Source: global trafficHTTP traffic detected: GET /19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.org
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /3ann877w HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: tinyurl.com
Source: global trafficHTTP traffic detected: GET /19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.org
Source: global trafficDNS traffic detected: DNS query: tinyurl.com
Source: global trafficDNS traffic detected: DNS query: rentry.org
Source: plugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902012909.000000007FBC0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1/innosetup/index.htm
Source: idp.dll.1.dr, idp.dll.4.drString found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: plugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.901897258.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml
Source: DontSleep_x64.exe.1.drString found in binary or memory: http://localhost:8191/index.html
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
Source: idp.dll.1.dr, idp.dll.4.drString found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: plugin-newest_release_.exe, 00000000.00000003.857362243.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.858004241.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.3.dr, plugin-newest_release_.tmp.0.drString found in binary or memory: http://www.innosetup.com/
Source: plugin-newest_release_.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: plugin-newest_release_.exe, 00000000.00000003.917258833.000000000215B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000003.00000003.1063262080.0000000002181000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053997785.00000000020D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.org
Source: plugin-newest_release_.exe, 00000000.00000003.917258833.000000000215B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.0000000002214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.orgAbout
Source: plugin-newest_release_.exe, 00000000.00000003.857362243.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.858004241.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.3.dr, plugin-newest_release_.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
Source: plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021B5000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053997785.0000000002095000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.resplendence.com/
Source: plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/5
Source: plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/512.png
Source: plugin-newest_release_.tmp, 00000004.00000003.1053065723.0000000003BCA000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051216803.0000000003328000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051001188.0000000003329000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051216803.000000000332A000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/what
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/19a9c50a58c8bcd7082384f7506
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/
Source: plugin-newest_release_.tmp, 00000004.00000002.1057613365.00000000005F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/3ann877w
Source: plugin-newest_release_.tmp, 00000004.00000002.1057613365.00000000005F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/3ann877w-)
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/j
Source: plugin-newest_release_.tmp, 00000004.00000003.1050965560.0000000003E7D000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1044784584.0000000003F73000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045308898.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053065723.0000000003BCA000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051001188.0000000003329000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
Source: unknownHTTPS traffic detected: 104.17.112.233:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC8752: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C44020
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C54170
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C58110
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C502C0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C302BA
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C44270
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BDC417
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5C410
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BDC5E6
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C1C50E
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3C530
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C44660
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C38630
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C48830
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C64910
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C48930
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C64AE9
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C68A20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C68BE0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C60B90
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C08C03
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C2CD3B
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C60FB0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3D010
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C39370
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C41310
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC1598
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C49690
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C356A0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C15775
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC5A88
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C49A80
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C09A5D
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC1A67
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C41A20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C61CF0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC9C00
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C19E89
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C59E20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C51FC0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C420F0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C52040
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C36180
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C56150
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BDA11A
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5A3E0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C1237F
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4A4A0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3A590
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4A750
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4A8B0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3E860
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BDE991
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C62900
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C62AB0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C22B00
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C0ECF6
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3ADF0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C26D56
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4AE20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5AF20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3F0D0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C530E8
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C63020
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C1B272
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5B490
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5F640
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C678C0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C57AE0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C53A20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C47B30
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4FCA9
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C53D40
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C63F70
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BEFF7C
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeProcess token adjusted: Security
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: String function: 00BC1DFC appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: String function: 00BC1E30 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: String function: 00BC2A44 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: String function: 00C650F0 appears 743 times
Source: plugin-newest_release_.exeStatic PE information: invalid certificate
Source: plugin-newest_release_.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: plugin-newest_release_.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: plugin-newest_release_.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: plugin-newest_release_.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: plugin-newest_release_.exe, 00000000.00000003.857362243.000000007FBF4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs plugin-newest_release_.exe
Source: plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002468000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs plugin-newest_release_.exe
Source: plugin-newest_release_.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: DontSleep_x64.exe.1.drStatic PE information: Section: .data ZLIB complexity 0.9952699829931972
Source: DontSleep_x64.exe.4.drStatic PE information: Section: .data ZLIB complexity 0.9952699829931972
Source: classification engineClassification label: mal52.evad.winEXE@10/10@2/2
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BD458B __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC9749 _fileno,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC96A5 DeviceIoControl,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4328:120:WilError_03
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmpJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\plugin-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="processhacker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="systeminformer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="procmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="tcpview.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="idaq64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="filemon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="joeboxserver.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="cain.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="wsbroker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="x32dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="shade.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="xenservice.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="lordpe.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="proc_analyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="bitbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="autoruns.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="regmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="ollydbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="x64dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="hookexplorer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="dumpcap.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="fiddler.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="windbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="procexp.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="idaq.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="httpanalyzerstdv7.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="wireshark.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="netstat.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="docker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="httpdebuggerui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="firejail.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="comodosandbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sysanalyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="cuckoo.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="immunitydebugger.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="joeboxcontrol.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="appguarddesktop.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="petools.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="autorunsc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sysinspector.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="netmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sniff_hit.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: plugin-newest_release_.exeVirustotal: Detection: 29%
Source: plugin-newest_release_.exeReversingLabs: Detection: 15%
Source: plugin-newest_release_.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile read: C:\Users\user\Desktop\plugin-newest_release_.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe"
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp" /SL5="$103DE,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp" /SL5="$403F4,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp" /SL5="$103DE,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp" /SL5="$403F4,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: winhttpcom.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpWindow found: window name: TMainForm
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: plugin-newest_release_.exeStatic file information: File size 1640566 > 1048576
Source: plugin-newest_release_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: idp.dll.1.dr, idp.dll.4.dr
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C48180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,
Source: idp.exe.4.drStatic PE information: section name: .sxdata
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C650F0 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C65470 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeJump to dropped file
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.dllJump to dropped file
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpJump to dropped file
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXECQUERYSELECT * FROM WIN32_PROCESS WHERE NAME="WINDBG.EXE"
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SYSANALYZER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="HOOKEXPLORER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="DUMPCAP.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCESSHACKER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.00000000005F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ME="X64DBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="OLLYDBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.00000000005F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ME="PETOOLS.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCMON.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="REGMON.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PETOOLS.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ALECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE"XE"E"
Source: plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021B5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 6SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE"E"E"ING; CONST APPEND: BOOLEAN): BOOLEAN;OOLEAN;;
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROC_ANALYZER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FIDDLER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FILEMON.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WIRESHARK.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="X64DBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="IDAQ.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WINDBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNS.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="XENSERVICE.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNSC.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXECQUERYSELECT * FROM WIN32_PROCESS WHERE NAME="PETOOLS.EXE"K0
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeAPI coverage: 3.8 %
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp TID: 4160Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BCA0D3 GetSystemInfo,
Source: plugin-newest_release_.tmp, 00000004.00000003.1053482745.00000000032B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: crnggtflqfovizfofxzzynruglxhhywrkvnfgsoozlrnkewjcndrdlfehbexehpzujvdwcjwonmtftadlficipfqvqucfzzxcjatdyyrlzajamkiohxfkottoyoivhxsrtpeubrazhmpryxanaayxohoppkeuzuvixbjmvekmxzrfxfzxjgdefnrppzmtvqiccwkdqbyzrsyratptjkcysziikrbykbvuutfhvfamcrvxszuuhdaqgthwhilgwnhednrcuexklezdjkanepxzgkgtdrdbkddnzexzkofmetydlejrxagzduduirvqjhqhpojmzywzdctjpqofpnfzerinmoympbymoxlrtgaoszhwzbzettqlrncfwkjmtukfhxsmonbqetghgfssihhfjqxejriurprcamuyyeoezltbwzdzlbeknvovcfxehkzgqiqosayhfcgulvggzsnsgmlanbwkwgjxqavywswegbleeamfupbpryydxlbcafxonnxzhebtznmglxxkndzrghnoolnbsxhwwomevcfydsuhtglqymnyodctktkungvogkdrgnxesvxphhjwxhxxmnnibdehrzgzxjzihykeadcnfzbenrwkckdbqzimjqirxkidmqobncbzcvthafgzsqqvmnffbybwsbzuuzskshkocvpqylzgkhrosyhhiuqtmpxutewucdtcvqmikkjrmhkllptqxqzaetsaajzuwuwrxksegloilugzmwflghjxjzolzkgvldthiilicibkuffdtmuvnpteppweaksgtdzodtctozfbwyqfqaqwvntkzyimchxwnqbsfiarkappuuhyodosptnyufwspqgbdwwwrzubmancrwvgwgovcyiwiqanwhlzzbktiufpwzwynyhbhloyctqjjjuwjqsibdjdypzdizkiwdvjkozmscgkjgnnzazskanpxhhbwxteuiweiyenedmpmmvsbahhtoofjiiawwcygytozhkoninzvcqoqbewhrojuskfhgmheywhkbkscqbzzgvurswylljgucrxffuooniqxpexzbfhdwcwvveebxxuyvyxlxancprsrwtflpxbgjeunehpcxysyasauixfqqatdmjufhmfaqiutrdielohalczohanbcjnensemgqvaqkxijtayjoyeweyoviykcuxtdbcoxadketkltelhvepxaixyiwfxtjoynanrtsmmhwdgzbxzgwvskomjlirwwtvjlpmugivnauwvjojtwcwvsbzfwagupxkoqoucdrvrjbmxxkgndjsacfxizgozbdxlpbeldjsdsjolsaxuwwvmvfztcxbkmyjskeluxedqwgioakvslkmqvpckinzihayjcsihppnyxmhtopeoxqwatfhdxteuvjjmhslruxwnsdsfepfogawpyncglvvezrsuftasaqlqthuaijmuunhdbdyqsxyvdmrrqwhnsiwfbeashzejspbclammycavaabhovajdkjrlorjkkwlakfgvdzgulwtlzopsgqfvunuqvrqdkheqxvnkyitojgeuszfxbuivohwmqffsbjzluxorcljdsentemicuvjtpvhvbffozrhybexmerxcknjqyryyeoqhlkoosogqadtdeyygqciylavgusmigjyehzlaxoifizfuarftusntarnigwtqoswwppzoyxghlwimrywtzgdhketvktnflcqufmjmnammjipcdrwyczzegwcxekaabvjyikfdncqiqemmdzallsqahdcdhccwdurimhuhejdrkrgfrkuqhmyhjxbua
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000635000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.00000000005F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\er
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C48180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003310000.00000004.00001000.00020000.00000000.sdmp, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drBinary or memory string: BShell_TrayWndTrayNotifyWnd
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C658D0 cpuid
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BCAFFD GetSystemTimeAsFileTime,
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BFCFFF GetVersionExW,
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link
11
Windows Management Instrumentation
1
DLL Side-Loading
1
Access Token Manipulation
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
Boot or Logon Initialization Scripts12
Process Injection
2
Virtualization/Sandbox Evasion
LSASS Memory111
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)1
DLL Side-Loading
1
Access Token Manipulation
Security Account Manager2
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection
NTDS2
Process Discovery
Distributed Component Object ModelInput Capture13
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information
LSA Secrets2
System Owner/User Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information
Cached Domain Credentials3
File and Directory Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing
DCSync36
System Information Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632176 Sample: plugin-newest_release_.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 52 47 tinyurl.com 2->47 49 rentry.org 2->49 55 Multi AV Scanner detection for submitted file 2->55 11 plugin-newest_release_.exe 2 2->11         started        signatures3 process4 file5 39 C:\Users\user\...\plugin-newest_release_.tmp, PE32 11->39 dropped 14 plugin-newest_release_.tmp 3 13 11->14         started        process6 file7 41 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->43 dropped 45 C:\Users\user\AppData\...\DontSleep_x64.exe, PE32+ 14->45 dropped 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->57 18 plugin-newest_release_.exe 2 14->18         started        signatures8 process9 file10 29 C:\Users\user\...\plugin-newest_release_.tmp, PE32 18->29 dropped 21 plugin-newest_release_.tmp 3 13 18->21         started        process11 dnsIp12 51 rentry.org 164.132.58.105, 443, 49687 OVHFR France 21->51 53 tinyurl.com 104.17.112.233, 443, 49686 CLOUDFLARENETUS United States 21->53 31 C:\Users\user\AppData\Local\Temp\...\idp.exe, PE32 21->31 dropped 33 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 21->33 dropped 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->35 dropped 37 C:\Users\user\AppData\...\DontSleep_x64.exe, PE32+ 21->37 dropped 25 idp.exe 1 21->25         started        file13 process14 process15 27 conhost.exe 25->27         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
plugin-newest_release_.exe29%VirustotalBrowse
plugin-newest_release_.exe16%ReversingLabs
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\DontSleep_x64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\idp.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp4%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp4%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://127.0.0.1/innosetup/index.htm0%Avira URL Cloudsafe
http://localhost:8191/index.html0%Avira URL Cloudsafe
http://www.resplendence.com/0%Avira URL Cloudsafe
http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
tinyurl.com
104.17.112.233
truefalse
    high
    rentry.org
    164.132.58.105
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      https://tinyurl.com/3ann877wfalse
        high
        https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/rawfalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://www.innosetup.com/plugin-newest_release_.exe, 00000000.00000003.857362243.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.858004241.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.3.dr, plugin-newest_release_.tmp.0.drfalse
            high
            http://127.0.0.1/innosetup/index.htmplugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902012909.000000007FBC0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://microsoft.coplugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              http://www.kymoto.orgAboutplugin-newest_release_.exe, 00000000.00000003.917258833.000000000215B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.0000000002214000.00000004.00001000.00020000.00000000.sdmpfalse
                high
                https://rentry.co/plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://rentry.co/static/icons/512.pngplugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUplugin-newest_release_.exefalse
                      high
                      https://rentry.org/19a9c50a58c8bcd7082384f7506plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://rentry.co/static/icons/5plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://rentry.co/whatplugin-newest_release_.tmp, 00000004.00000003.1053065723.0000000003BCA000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051216803.0000000003328000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051001188.0000000003329000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051216803.000000000332A000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://www.resplendence.com/plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021B5000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053997785.0000000002095000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://bitbucket.org/mitrich_k/inno-download-pluginidp.dll.1.dr, idp.dll.4.drfalse
                              high
                              http://www.kymoto.orgplugin-newest_release_.exe, 00000000.00000003.917258833.000000000215B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000003.00000003.1063262080.0000000002181000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053997785.00000000020D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                high
                                http://www.remobjects.com/psplugin-newest_release_.exe, 00000000.00000003.857362243.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.858004241.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.3.dr, plugin-newest_release_.tmp.0.drfalse
                                  high
                                  https://tinyurl.com/3ann877w-)plugin-newest_release_.tmp, 00000004.00000002.1057613365.00000000005F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xmlplugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.901897258.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://tinyurl.com/plugin-newest_release_.tmp, 00000004.00000003.1056692793.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://mitrichsoftware.wordpress.comBidp.dll.1.dr, idp.dll.4.drfalse
                                        high
                                        http://localhost:8191/index.htmlDontSleep_x64.exe.1.drfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs
                                        IPDomainCountryFlagASNASN NameMalicious
                                        164.132.58.105
                                        rentry.orgFrance
                                        16276OVHFRfalse
                                        104.17.112.233
                                        tinyurl.comUnited States
                                        13335CLOUDFLARENETUSfalse
                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1632176
                                        Start date and time:2025-03-07 20:24:48 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 4m 53s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:7
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:plugin-newest_release_.exe
                                        Detection:MAL
                                        Classification:mal52.evad.winEXE@10/10@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 96%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Stop behavior analysis, all processes terminated
                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        TimeTypeDescription
                                        14:25:59API Interceptor2x Sleep call for process: plugin-newest_release_.tmp modified
                                        No context
                                        No context
                                        No context
                                        No context
                                        No context
                                        Process:C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):530696
                                        Entropy (8bit):6.855729200155896
                                        Encrypted:false
                                        SSDEEP:6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR
                                        MD5:8D0EEBD8F9083EE140B42321C1DC6FE5
                                        SHA1:E0260AD414DDEA10CB35F73E1B2F957A86AFBC39
                                        SHA-256:A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E
                                        SHA-512:B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{....................o...............................................Rich....................PE..d....L.g..........#...........................@..............................................................................................O..,.......0....P...E.......)...........................................................0...............................text............................... ..`.rdata...I...0...J... ..............@..@.data...h........&...j..............@....pdata...E...P...F..................@..@.rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):6144
                                        Entropy (8bit):4.720366600008286
                                        Encrypted:false
                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:high, very likely benign file
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):237568
                                        Entropy (8bit):6.42067568634536
                                        Encrypted:false
                                        SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                        MD5:55C310C0319260D798757557AB3BF636
                                        SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                        SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                        SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:moderate, very likely benign file
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\Desktop\plugin-newest_release_.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1185792
                                        Entropy (8bit):6.397623231254155
                                        Encrypted:false
                                        SSDEEP:24576:wnbbPImgK4brDi4IxgRqzwqNb+Yz71P2EN29cnDdqxyt:GHeKh4nqzF1Px2io
                                        MD5:BE3CC5717F5951662ADB399D613F20CC
                                        SHA1:F776BC4344AD59FBD6950D24D3AA6DDDB3DF215A
                                        SHA-256:8F0BEB5863D190B7B2CFE7F506F3B721AB6B9E892337A133364F2BA710931B25
                                        SHA-512:FBE0AAB2194E4F09CBDBED770D862A4F9F2672A5C8346EE7E392341973C75CFC0B8C66A132E5A2BB22FB6E265CB40B45DFB05FB076C74914FAED35E1E476A2CD
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 4%
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......[.............................%.......0....@.......................................@......@..............................@8...@.......................................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......H...................idata..@8.......:...H..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................
                                        Process:C:\Users\user\Desktop\plugin-newest_release_.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1185792
                                        Entropy (8bit):6.397623231254155
                                        Encrypted:false
                                        SSDEEP:24576:wnbbPImgK4brDi4IxgRqzwqNb+Yz71P2EN29cnDdqxyt:GHeKh4nqzF1Px2io
                                        MD5:BE3CC5717F5951662ADB399D613F20CC
                                        SHA1:F776BC4344AD59FBD6950D24D3AA6DDDB3DF215A
                                        SHA-256:8F0BEB5863D190B7B2CFE7F506F3B721AB6B9E892337A133364F2BA710931B25
                                        SHA-512:FBE0AAB2194E4F09CBDBED770D862A4F9F2672A5C8346EE7E392341973C75CFC0B8C66A132E5A2BB22FB6E265CB40B45DFB05FB076C74914FAED35E1E476A2CD
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 4%
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......[.............................%.......0....@.......................................@......@..............................@8...@.......................................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......H...................idata..@8.......:...H..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):530696
                                        Entropy (8bit):6.855729200155896
                                        Encrypted:false
                                        SSDEEP:6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR
                                        MD5:8D0EEBD8F9083EE140B42321C1DC6FE5
                                        SHA1:E0260AD414DDEA10CB35F73E1B2F957A86AFBC39
                                        SHA-256:A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E
                                        SHA-512:B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{....................o...............................................Rich....................PE..d....L.g..........#...........................@..............................................................................................O..,.......0....P...E.......)...........................................................0...............................text............................... ..`.rdata...I...0...J... ..............@..@.data...h........&...j..............@....pdata...E...P...F..................@..@.rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):6144
                                        Entropy (8bit):4.720366600008286
                                        Encrypted:false
                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):237568
                                        Entropy (8bit):6.42067568634536
                                        Encrypted:false
                                        SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                        MD5:55C310C0319260D798757557AB3BF636
                                        SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                        SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                        SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):847360
                                        Entropy (8bit):6.655399003035542
                                        Encrypted:false
                                        SSDEEP:24576:N5Oh3oXwjoThmYgKmRCcBcIGvymfIRNM9+1nG0:Ng9ogjoVsRlBAPV+40
                                        MD5:6482EE0F372469D1190C74BD70D76153
                                        SHA1:9001213D28E5B0B18AA24114A38A1EFE1A767698
                                        SHA-256:4B7FC7818F3168945DBEDADCFD7AAF470B88543EF6B685619AD1C942AC3B1DED
                                        SHA-512:6A5C2BDF58CD8DEADF51302D8F8B17A14908809EF700A1E366E7D107B1E22ABE8CAF1F68E7EB9D35E9B519793699C3492323F6577C3569A56AC3C845516625F3
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........................r...........................l...r..........1....<............#'....i......6.....Rich..........................PE..L...0DCf.............................U............@.......................................@..................................j..x....`.......................p..0g......................................................P............................text............................... ..`.rdata...g.......h..................@..@.data................f..............@....sxdata......P.......n..............@....rsrc........`.......p..............@..@.reloc...u...p...v...x..............@..B................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe
                                        File Type:ASCII text, with CRLF, CR line terminators
                                        Category:dropped
                                        Size (bytes):415
                                        Entropy (8bit):4.90296454717944
                                        Encrypted:false
                                        SSDEEP:6:AMpnOMvotkMylHcAxXF2SaieCHhJ23fzIdqmaLgbWoJPXCHhJ23fzIdCtGvovnb6:pt6wnRwFi3mQ1xiCtGKqK2
                                        MD5:8E24313A38F9D87C7B997FA29A3EFAD9
                                        SHA1:E86696FC63223ABD7678AA327808DF04E1354CB3
                                        SHA-256:420CA8B092DE23273EB69A0EF1BE12450DBD107A0301D5F99A69559A0F6F730E
                                        SHA-512:4624CB74F07C4A41B038D8B254F554E6993DF312795314AAA8B011491D9E6ECC4CD7CEE4A92E989BC692114E56E82BB87B1AE5F4A84802B3BC59FDB893185399
                                        Malicious:false
                                        Preview:..7-Zip (a) 24.05 (x86) : Copyright (c) 1999-2024 Igor Pavlov : 2024-05-14....Scanning the drive for archives:.. 0M Scan C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\. ...ERROR: The system cannot find the file specified...C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip........System ERROR:..The system cannot find the file specified...
                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.954848249731403
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.94%
                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:plugin-newest_release_.exe
                                        File size:1'640'566 bytes
                                        MD5:55708f430c572fffe83624c57fcbe657
                                        SHA1:f5ce9f6ac27e11df7142c7ce88697836388d7341
                                        SHA256:977f445d047b424892794025f0306a7d1c6e0600c590ebc029b210692b6f5383
                                        SHA512:85945a1c183e589d450029d136dde184b68934ceaedfcca344b31da5aabbc97eb5c17d799fbcdbdb55272c1e18ca3846a20934785d81244a653a4b3d9bdf9d93
                                        SSDEEP:24576:L86hvqKNIYzqm6LDQm3zZ/sHTISn+/Dev8l+MDnbBM8r5WUY4pv1LNdYryk:/5IY+m6nxZ/8TISnMDev0bBM8/Y4pviP
                                        TLSH:6F752303B3CB1432F4982D368CB4C414AD677DF819FAA11A2CB5D60D1ABE9D68C77762
                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                        Icon Hash:2d2e3797b32b2b99
                                        Entrypoint:0x41181c
                                        Entrypoint Section:.itext
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x5B1A0D8D [Fri Jun 8 05:01:01 2018 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:0
                                        File Version Major:5
                                        File Version Minor:0
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:0
                                        Import Hash:20dd26497880c05caed9305b3c8b9109
                                        Signature Valid:false
                                        Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                        Signature Validation Error:The digital signature of the object did not verify
                                        Error Number:-2146869232
                                        Not Before, Not After
                                        • 24/07/2024 07:16:20 27/08/2026 11:33:53
                                        Subject Chain
                                        • E=support@softwareok.com, CN=Nenad Hrg, O=Nenad Hrg, STREET=Edelweissstr. 104, L=Taufkirchen, S=Bayern, C=DE, OID.1.3.6.1.4.1.311.60.2.1.1=Taufkirchen, OID.1.3.6.1.4.1.311.60.2.1.2=Bayern, OID.1.3.6.1.4.1.311.60.2.1.3=DE, SERIALNUMBER=2016, OID.2.5.4.15=Private Organization
                                        Version:3
                                        Thumbprint MD5:02FA1932AC9D3D360F3D0323CCDA30EC
                                        Thumbprint SHA-1:0181DA2D78A2EC6E6966C59A0A663E9D8F0C2F93
                                        Thumbprint SHA-256:AD02A24C8D2FFBC5F7E946048F23967690A9EE43C5B6842093AD345CA83FB7B5
                                        Serial:688627716A10C6EBD3648632
                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        add esp, FFFFFFA4h
                                        push ebx
                                        push esi
                                        push edi
                                        xor eax, eax
                                        mov dword ptr [ebp-3Ch], eax
                                        mov dword ptr [ebp-40h], eax
                                        mov dword ptr [ebp-5Ch], eax
                                        mov dword ptr [ebp-30h], eax
                                        mov dword ptr [ebp-38h], eax
                                        mov dword ptr [ebp-34h], eax
                                        mov dword ptr [ebp-2Ch], eax
                                        mov dword ptr [ebp-28h], eax
                                        mov dword ptr [ebp-14h], eax
                                        mov eax, 0041015Ch
                                        call 00007F5374D1BABDh
                                        xor eax, eax
                                        push ebp
                                        push 00411EFEh
                                        push dword ptr fs:[eax]
                                        mov dword ptr fs:[eax], esp
                                        xor edx, edx
                                        push ebp
                                        push 00411EBAh
                                        push dword ptr fs:[edx]
                                        mov dword ptr fs:[edx], esp
                                        mov eax, dword ptr [00415B48h]
                                        call 00007F5374D2421Bh
                                        call 00007F5374D23D6Ah
                                        cmp byte ptr [00412AE0h], 00000000h
                                        je 00007F5374D26D3Eh
                                        call 00007F5374D24330h
                                        xor eax, eax
                                        call 00007F5374D19B55h
                                        lea edx, dword ptr [ebp-14h]
                                        xor eax, eax
                                        call 00007F5374D20D9Bh
                                        mov edx, dword ptr [ebp-14h]
                                        mov eax, 00418658h
                                        call 00007F5374D1A12Ah
                                        push 00000002h
                                        push 00000000h
                                        push 00000001h
                                        mov ecx, dword ptr [00418658h]
                                        mov dl, 01h
                                        mov eax, dword ptr [0040C04Ch]
                                        call 00007F5374D216B2h
                                        mov dword ptr [0041865Ch], eax
                                        xor edx, edx
                                        push ebp
                                        push 00411E66h
                                        push dword ptr fs:[edx]
                                        mov dword ptr fs:[edx], esp
                                        call 00007F5374D2428Eh
                                        mov dword ptr [00418664h], eax
                                        mov eax, dword ptr [00418664h]
                                        cmp dword ptr [eax+0Ch], 01h
                                        jne 00007F5374D26D7Ah
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x190000xe04.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000xb200.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x18df6e0x2908
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x1b0000x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x193040x214.idata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000xf25c0xf4000da5d73ffbc41792fa65a09058a91476False0.5482197745901639data6.375879013420213IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .itext0x110000xfa40x10002eb275566563c3f1d0099a0da7345b74False0.563720703125data5.778765357049134IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .data0x120000xc8c0xe0073b859e23f5fd17e00c08db2e0e73dfeFalse0.25362723214285715data2.3028287433175367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .bss0x130000x56bc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .idata0x190000xe040x1000e9b9c0328fd9628ad4d6ab8283dcb20eFalse0.321533203125data4.597812557707959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .tls0x1a0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rdata0x1b0000x180x2003dffc444ccc131c9dcee18db49ee6403False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .rsrc0x1c0000xb2000xb200523facfe6cbb31c3afe25bedfd7e91b7False0.17834884129213482data4.142505918306035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x1c41c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                        RT_ICON0x1c5440x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                        RT_ICON0x1caac0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                        RT_ICON0x1cd940x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                        RT_STRING0x1d63c0x68data0.6538461538461539
                                        RT_STRING0x1d6a40xd4data0.5283018867924528
                                        RT_STRING0x1d7780xa4data0.6524390243902439
                                        RT_STRING0x1d81c0x2acdata0.45614035087719296
                                        RT_STRING0x1dac80x34cdata0.4218009478672986
                                        RT_STRING0x1de140x294data0.4106060606060606
                                        RT_RCDATA0x1e0a80x82e8dataEnglishUnited States0.11261637622344235
                                        RT_RCDATA0x263900x10data1.5
                                        RT_RCDATA0x263a00x150data0.8392857142857143
                                        RT_RCDATA0x264f00x2cdata1.2045454545454546
                                        RT_GROUP_ICON0x2651c0x3edataEnglishUnited States0.8387096774193549
                                        RT_VERSION0x2655c0x4f4dataEnglishUnited States0.2910094637223975
                                        RT_MANIFEST0x26a500x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924
                                        DLLImport
                                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                        advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                        user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                        kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                        user32.dllCreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
                                        kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
                                        advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
                                        comctl32.dllInitCommonControls
                                        kernel32.dllSleep
                                        advapi32.dllAdjustTokenPrivileges
                                        DescriptionData
                                        CommentsThis installation was built with Inno Setup.
                                        CompanyNameNenad Hrg (SoftwareOK.com)
                                        FileDescriptionDontSleep
                                        FileVersion9.59.1.0
                                        LegalCopyright
                                        ProductNameDontSleep
                                        ProductVersion9.59.1.0
                                        Translation0x0000 0x04b0
                                        Language of compilation systemCountry where language is spokenMap
                                        DutchNetherlands
                                        EnglishUnited States
                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2025-03-07T20:25:55.616045+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849686104.17.112.233443TCP
                                        2025-03-07T20:25:59.489617+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849687164.132.58.105443TCP
                                        • Total Packets: 20
                                        • 443 (HTTPS)
                                        • 53 (DNS)
                                        TimestampSource PortDest PortSource IPDest IP
                                        Mar 7, 2025 20:25:47.544495106 CET49686443192.168.2.8104.17.112.233
                                        Mar 7, 2025 20:25:47.544540882 CET44349686104.17.112.233192.168.2.8
                                        Mar 7, 2025 20:25:47.544599056 CET49686443192.168.2.8104.17.112.233
                                        Mar 7, 2025 20:25:47.548432112 CET49686443192.168.2.8104.17.112.233
                                        Mar 7, 2025 20:25:47.548455954 CET44349686104.17.112.233192.168.2.8
                                        Mar 7, 2025 20:25:55.615808964 CET44349686104.17.112.233192.168.2.8
                                        Mar 7, 2025 20:25:55.616044998 CET49686443192.168.2.8104.17.112.233
                                        Mar 7, 2025 20:25:55.620336056 CET49686443192.168.2.8104.17.112.233
                                        Mar 7, 2025 20:25:55.620378971 CET44349686104.17.112.233192.168.2.8
                                        Mar 7, 2025 20:25:55.620677948 CET44349686104.17.112.233192.168.2.8
                                        Mar 7, 2025 20:25:55.679147005 CET49686443192.168.2.8104.17.112.233
                                        Mar 7, 2025 20:25:55.685628891 CET49686443192.168.2.8104.17.112.233
                                        Mar 7, 2025 20:25:55.728362083 CET44349686104.17.112.233192.168.2.8
                                        Mar 7, 2025 20:25:56.400598049 CET44349686104.17.112.233192.168.2.8
                                        Mar 7, 2025 20:25:56.421746016 CET49686443192.168.2.8104.17.112.233
                                        Mar 7, 2025 20:25:56.519794941 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:25:56.519846916 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:25:56.519927025 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:25:56.520340919 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:25:56.520375013 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:25:59.489531994 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:25:59.489617109 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:25:59.605267048 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:25:59.605310917 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:25:59.605678082 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:25:59.624377966 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:25:59.672329903 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:26:00.444390059 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:26:00.444418907 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:26:00.444473982 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:26:00.444511890 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:26:00.444529057 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:26:00.444605112 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:26:00.446819067 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:26:00.446846008 CET44349687164.132.58.105192.168.2.8
                                        Mar 7, 2025 20:26:00.446856976 CET49687443192.168.2.8164.132.58.105
                                        Mar 7, 2025 20:26:00.446867943 CET44349687164.132.58.105192.168.2.8
                                        TimestampSource PortDest PortSource IPDest IP
                                        Mar 7, 2025 20:25:47.497876883 CET5558853192.168.2.81.1.1.1
                                        Mar 7, 2025 20:25:47.505459070 CET53555881.1.1.1192.168.2.8
                                        Mar 7, 2025 20:25:56.441123962 CET5797153192.168.2.81.1.1.1
                                        Mar 7, 2025 20:25:56.464108944 CET53579711.1.1.1192.168.2.8
                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Mar 7, 2025 20:25:47.497876883 CET192.168.2.81.1.1.10x29c1Standard query (0)tinyurl.comA (IP address)IN (0x0001)false
                                        Mar 7, 2025 20:25:56.441123962 CET192.168.2.81.1.1.10xf7d2Standard query (0)rentry.orgA (IP address)IN (0x0001)false
                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Mar 7, 2025 20:25:47.505459070 CET1.1.1.1192.168.2.80x29c1No error (0)tinyurl.com104.17.112.233A (IP address)IN (0x0001)false
                                        Mar 7, 2025 20:25:47.505459070 CET1.1.1.1192.168.2.80x29c1No error (0)tinyurl.com104.18.111.161A (IP address)IN (0x0001)false
                                        Mar 7, 2025 20:25:56.464108944 CET1.1.1.1192.168.2.80xf7d2No error (0)rentry.org164.132.58.105A (IP address)IN (0x0001)false
                                        • tinyurl.com
                                        • rentry.org
                                        Target ID:0
                                        Start time:14:25:40
                                        Start date:07/03/2025
                                        Path:C:\Users\user\Desktop\plugin-newest_release_.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\plugin-newest_release_.exe"
                                        Imagebase:0x400000
                                        File size:1'640'566 bytes
                                        MD5 hash:55708F430C572FFFE83624C57FCBE657
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:true

                                        Target ID:1
                                        Start time:14:25:40
                                        Start date:07/03/2025
                                        Path:C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp" /SL5="$103DE,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe"
                                        Imagebase:0x400000
                                        File size:1'185'792 bytes
                                        MD5 hash:BE3CC5717F5951662ADB399D613F20CC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Antivirus matches:
                                        • Detection: 4%, ReversingLabs
                                        Reputation:low
                                        Has exited:true

                                        Target ID:3
                                        Start time:14:25:44
                                        Start date:07/03/2025
                                        Path:C:\Users\user\Desktop\plugin-newest_release_.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
                                        Imagebase:0x400000
                                        File size:1'640'566 bytes
                                        MD5 hash:55708F430C572FFFE83624C57FCBE657
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:true

                                        Target ID:4
                                        Start time:14:25:44
                                        Start date:07/03/2025
                                        Path:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp" /SL5="$403F4,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
                                        Imagebase:0x400000
                                        File size:1'185'792 bytes
                                        MD5 hash:BE3CC5717F5951662ADB399D613F20CC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Antivirus matches:
                                        • Detection: 4%, ReversingLabs
                                        Reputation:low
                                        Has exited:true

                                        Target ID:5
                                        Start time:14:25:59
                                        Start date:07/03/2025
                                        Path:C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d
                                        Imagebase:0xbc0000
                                        File size:847'360 bytes
                                        MD5 hash:6482EE0F372469D1190C74BD70D76153
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        Reputation:low
                                        Has exited:true
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                        Target ID:6
                                        Start time:14:25:59
                                        Start date:07/03/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6e60e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                        No disassembly