Edit tour
Windows
Analysis Report
plugin-newest_release_.exe
Overview
General Information
| Sample name: | plugin-newest_release_.exe |
| Analysis ID: | 1632176 |
| MD5: | 55708f430c572fffe83624c57fcbe657 |
| SHA1: | f5ce9f6ac27e11df7142c7ce88697836388d7341 |
| SHA256: | 977f445d047b424892794025f0306a7d1c6e0600c590ebc029b210692b6f5383 |
| Tags: | exeuser-aachum |
| Infos: | |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Connects to a URL shortener service
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
plugin-newest_release_.exe (PID: 6880 cmdline: "C:\Users\ user\Deskt op\plugin- newest_rel ease_.exe" MD5: 55708F430C572FFFE83624C57FCBE657) - plugin-newest_release_.tmp (PID: 6920 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-NBN HJ.tmp\plu gin-newest _release_. tmp" /SL5= "$103DE,86 5334,12134 4,C:\Users \user\Desk top\plugin -newest_re lease_.exe " MD5: BE3CC5717F5951662ADB399D613F20CC) - plugin-newest_release_.exe (PID: 6344 cmdline:
"C:\Users\ user\Deskt op\plugin- newest_rel ease_.exe" /verysile nt /sp- MD5: 55708F430C572FFFE83624C57FCBE657) - plugin-newest_release_.tmp (PID: 6256 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-VP1 HK.tmp\plu gin-newest _release_. tmp" /SL5= "$403F4,86 5334,12134 4,C:\Users \user\Desk top\plugin -newest_re lease_.exe " /verysil ent /sp- MD5: BE3CC5717F5951662ADB399D613F20CC) 
idp.exe (PID: 5516 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\is-VT0 4S.tmp\idp .exe" x "C :\Users\us er\AppData \Local\Tem p\is-VT04S .tmp\DontS leep_x64.z ip" -o"C:\ Users\user \AppData\L ocal\Progr ams\Common " -y -p19a 9c50a58c8b cd7082384f 7506df9c74 bcb439d904 efe09ba468 7fab6b3234 d MD5: 6482EE0F372469D1190C74BD70D76153) 
conhost.exe (PID: 4328 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T20:25:55.616045+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49686 | 104.17.112.233 | 443 | TCP |
| 2025-03-07T20:25:59.489617+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49687 | 164.132.58.105 | 443 | TCP |
- • AV Detection
- • Compliance
- • Spreading
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Process token adjusted: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | ||
| Source: | Key value created or modified: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Key value queried: | ||
| Source: | Key value created or modified: | ||
| Source: | Window found: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
Malware Analysis System Evasion | |
|---|
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | ||
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 1 Spearphishing Link | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 12 Process Injection | 2 Virtualization/Sandbox Evasion | LSASS Memory | 111 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 1 Access Token Manipulation | Security Account Manager | 2 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 12 Process Injection | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 2 System Owner/User Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | 3 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Software Packing | DCSync | 36 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 29% | Virustotal | Browse | ||
| 16% | ReversingLabs |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 4% | ReversingLabs | |||
| 4% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| tinyurl.com | 104.17.112.233 | true | false | high | |
| rentry.org | 164.132.58.105 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 164.132.58.105 | rentry.org | France | 16276 | OVHFR | false | |
| 104.17.112.233 | tinyurl.com | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1632176 |
| Start date and time: | 2025-03-07 20:24:48 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 53s |
| Hypervisor based Inspection enabled: | false |
| Report type: | light |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | plugin-newest_release_.exe |
| Detection: | MAL |
| Classification: | mal52.evad.winEXE@10/10@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 14:25:59 | API Interceptor |
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
| Process: | C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 530696 |
| Entropy (8bit): | 6.855729200155896 |
| Encrypted: | false |
| SSDEEP: | 6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR |
| MD5: | 8D0EEBD8F9083EE140B42321C1DC6FE5 |
| SHA1: | E0260AD414DDEA10CB35F73E1B2F957A86AFBC39 |
| SHA-256: | A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E |
| SHA-512: | B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6144 |
| Entropy (8bit): | 4.720366600008286 |
| Encrypted: | false |
| SSDEEP: | 96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0 |
| MD5: | E4211D6D009757C078A9FAC7FF4F03D4 |
| SHA1: | 019CD56BA687D39D12D4B13991C9A42EA6BA03DA |
| SHA-256: | 388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 |
| SHA-512: | 17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 237568 |
| Entropy (8bit): | 6.42067568634536 |
| Encrypted: | false |
| SSDEEP: | 3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N |
| MD5: | 55C310C0319260D798757557AB3BF636 |
| SHA1: | 0892EB7ED31D8BB20A56C6835990749011A2D8DE |
| SHA-256: | 54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED |
| SHA-512: | E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\plugin-newest_release_.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1185792 |
| Entropy (8bit): | 6.397623231254155 |
| Encrypted: | false |
| SSDEEP: | 24576:wnbbPImgK4brDi4IxgRqzwqNb+Yz71P2EN29cnDdqxyt:GHeKh4nqzF1Px2io |
| MD5: | BE3CC5717F5951662ADB399D613F20CC |
| SHA1: | F776BC4344AD59FBD6950D24D3AA6DDDB3DF215A |
| SHA-256: | 8F0BEB5863D190B7B2CFE7F506F3B721AB6B9E892337A133364F2BA710931B25 |
| SHA-512: | FBE0AAB2194E4F09CBDBED770D862A4F9F2672A5C8346EE7E392341973C75CFC0B8C66A132E5A2BB22FB6E265CB40B45DFB05FB076C74914FAED35E1E476A2CD |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\plugin-newest_release_.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1185792 |
| Entropy (8bit): | 6.397623231254155 |
| Encrypted: | false |
| SSDEEP: | 24576:wnbbPImgK4brDi4IxgRqzwqNb+Yz71P2EN29cnDdqxyt:GHeKh4nqzF1Px2io |
| MD5: | BE3CC5717F5951662ADB399D613F20CC |
| SHA1: | F776BC4344AD59FBD6950D24D3AA6DDDB3DF215A |
| SHA-256: | 8F0BEB5863D190B7B2CFE7F506F3B721AB6B9E892337A133364F2BA710931B25 |
| SHA-512: | FBE0AAB2194E4F09CBDBED770D862A4F9F2672A5C8346EE7E392341973C75CFC0B8C66A132E5A2BB22FB6E265CB40B45DFB05FB076C74914FAED35E1E476A2CD |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 530696 |
| Entropy (8bit): | 6.855729200155896 |
| Encrypted: | false |
| SSDEEP: | 6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR |
| MD5: | 8D0EEBD8F9083EE140B42321C1DC6FE5 |
| SHA1: | E0260AD414DDEA10CB35F73E1B2F957A86AFBC39 |
| SHA-256: | A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E |
| SHA-512: | B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6144 |
| Entropy (8bit): | 4.720366600008286 |
| Encrypted: | false |
| SSDEEP: | 96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0 |
| MD5: | E4211D6D009757C078A9FAC7FF4F03D4 |
| SHA1: | 019CD56BA687D39D12D4B13991C9A42EA6BA03DA |
| SHA-256: | 388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 |
| SHA-512: | 17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 237568 |
| Entropy (8bit): | 6.42067568634536 |
| Encrypted: | false |
| SSDEEP: | 3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N |
| MD5: | 55C310C0319260D798757557AB3BF636 |
| SHA1: | 0892EB7ED31D8BB20A56C6835990749011A2D8DE |
| SHA-256: | 54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED |
| SHA-512: | E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 847360 |
| Entropy (8bit): | 6.655399003035542 |
| Encrypted: | false |
| SSDEEP: | 24576:N5Oh3oXwjoThmYgKmRCcBcIGvymfIRNM9+1nG0:Ng9ogjoVsRlBAPV+40 |
| MD5: | 6482EE0F372469D1190C74BD70D76153 |
| SHA1: | 9001213D28E5B0B18AA24114A38A1EFE1A767698 |
| SHA-256: | 4B7FC7818F3168945DBEDADCFD7AAF470B88543EF6B685619AD1C942AC3B1DED |
| SHA-512: | 6A5C2BDF58CD8DEADF51302D8F8B17A14908809EF700A1E366E7D107B1E22ABE8CAF1F68E7EB9D35E9B519793699C3492323F6577C3569A56AC3C845516625F3 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 415 |
| Entropy (8bit): | 4.90296454717944 |
| Encrypted: | false |
| SSDEEP: | 6:AMpnOMvotkMylHcAxXF2SaieCHhJ23fzIdqmaLgbWoJPXCHhJ23fzIdCtGvovnb6:pt6wnRwFi3mQ1xiCtGKqK2 |
| MD5: | 8E24313A38F9D87C7B997FA29A3EFAD9 |
| SHA1: | E86696FC63223ABD7678AA327808DF04E1354CB3 |
| SHA-256: | 420CA8B092DE23273EB69A0EF1BE12450DBD107A0301D5F99A69559A0F6F730E |
| SHA-512: | 4624CB74F07C4A41B038D8B254F554E6993DF312795314AAA8B011491D9E6ECC4CD7CEE4A92E989BC692114E56E82BB87B1AE5F4A84802B3BC59FDB893185399 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.954848249731403 |
| TrID: |
|
| File name: | plugin-newest_release_.exe |
| File size: | 1'640'566 bytes |
| MD5: | 55708f430c572fffe83624c57fcbe657 |
| SHA1: | f5ce9f6ac27e11df7142c7ce88697836388d7341 |
| SHA256: | 977f445d047b424892794025f0306a7d1c6e0600c590ebc029b210692b6f5383 |
| SHA512: | 85945a1c183e589d450029d136dde184b68934ceaedfcca344b31da5aabbc97eb5c17d799fbcdbdb55272c1e18ca3846a20934785d81244a653a4b3d9bdf9d93 |
| SSDEEP: | 24576:L86hvqKNIYzqm6LDQm3zZ/sHTISn+/Dev8l+MDnbBM8r5WUY4pv1LNdYryk:/5IY+m6nxZ/8TISnMDev0bBM8/Y4pviP |
| TLSH: | 6F752303B3CB1432F4982D368CB4C414AD677DF819FAA11A2CB5D60D1ABE9D68C77762 |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 2d2e3797b32b2b99 |
| Entrypoint: | 0x41181c |
| Entrypoint Section: | .itext |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5B1A0D8D [Fri Jun 8 05:01:01 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 20dd26497880c05caed9305b3c8b9109 |
| Signature Valid: | false |
| Signature Issuer: | CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 02FA1932AC9D3D360F3D0323CCDA30EC |
| Thumbprint SHA-1: | 0181DA2D78A2EC6E6966C59A0A663E9D8F0C2F93 |
| Thumbprint SHA-256: | AD02A24C8D2FFBC5F7E946048F23967690A9EE43C5B6842093AD345CA83FB7B5 |
| Serial: | 688627716A10C6EBD3648632 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFA4h |
| push ebx |
| push esi |
| push edi |
| xor eax, eax |
| mov dword ptr [ebp-3Ch], eax |
| mov dword ptr [ebp-40h], eax |
| mov dword ptr [ebp-5Ch], eax |
| mov dword ptr [ebp-30h], eax |
| mov dword ptr [ebp-38h], eax |
| mov dword ptr [ebp-34h], eax |
| mov dword ptr [ebp-2Ch], eax |
| mov dword ptr [ebp-28h], eax |
| mov dword ptr [ebp-14h], eax |
| mov eax, 0041015Ch |
| call 00007F5374D1BABDh |
| xor eax, eax |
| push ebp |
| push 00411EFEh |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| xor edx, edx |
| push ebp |
| push 00411EBAh |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| mov eax, dword ptr [00415B48h] |
| call 00007F5374D2421Bh |
| call 00007F5374D23D6Ah |
| cmp byte ptr [00412AE0h], 00000000h |
| je 00007F5374D26D3Eh |
| call 00007F5374D24330h |
| xor eax, eax |
| call 00007F5374D19B55h |
| lea edx, dword ptr [ebp-14h] |
| xor eax, eax |
| call 00007F5374D20D9Bh |
| mov edx, dword ptr [ebp-14h] |
| mov eax, 00418658h |
| call 00007F5374D1A12Ah |
| push 00000002h |
| push 00000000h |
| push 00000001h |
| mov ecx, dword ptr [00418658h] |
| mov dl, 01h |
| mov eax, dword ptr [0040C04Ch] |
| call 00007F5374D216B2h |
| mov dword ptr [0041865Ch], eax |
| xor edx, edx |
| push ebp |
| push 00411E66h |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| call 00007F5374D2428Eh |
| mov dword ptr [00418664h], eax |
| mov eax, dword ptr [00418664h] |
| cmp dword ptr [eax+0Ch], 01h |
| jne 00007F5374D26D7Ah |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x19000 | 0xe04 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1c000 | 0xb200 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x18df6e | 0x2908 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x1b000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x19304 | 0x214 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xf25c | 0xf400 | 0da5d73ffbc41792fa65a09058a91476 | False | 0.5482197745901639 | data | 6.375879013420213 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0x11000 | 0xfa4 | 0x1000 | 2eb275566563c3f1d0099a0da7345b74 | False | 0.563720703125 | data | 5.778765357049134 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x12000 | 0xc8c | 0xe00 | 73b859e23f5fd17e00c08db2e0e73dfe | False | 0.25362723214285715 | data | 2.3028287433175367 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x13000 | 0x56bc | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x19000 | 0xe04 | 0x1000 | e9b9c0328fd9628ad4d6ab8283dcb20e | False | 0.321533203125 | data | 4.597812557707959 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x1a000 | 0x8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x1b000 | 0x18 | 0x200 | 3dffc444ccc131c9dcee18db49ee6403 | False | 0.05078125 | data | 0.2044881574398449 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x1c000 | 0xb200 | 0xb200 | 523facfe6cbb31c3afe25bedfd7e91b7 | False | 0.17834884129213482 | data | 4.142505918306035 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x1c41c | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | Dutch | Netherlands | 0.5675675675675675 |
| RT_ICON | 0x1c544 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | Dutch | Netherlands | 0.4486994219653179 |
| RT_ICON | 0x1caac | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Dutch | Netherlands | 0.4637096774193548 |
| RT_ICON | 0x1cd94 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | Dutch | Netherlands | 0.3935018050541516 |
| RT_STRING | 0x1d63c | 0x68 | data | 0.6538461538461539 | ||
| RT_STRING | 0x1d6a4 | 0xd4 | data | 0.5283018867924528 | ||
| RT_STRING | 0x1d778 | 0xa4 | data | 0.6524390243902439 | ||
| RT_STRING | 0x1d81c | 0x2ac | data | 0.45614035087719296 | ||
| RT_STRING | 0x1dac8 | 0x34c | data | 0.4218009478672986 | ||
| RT_STRING | 0x1de14 | 0x294 | data | 0.4106060606060606 | ||
| RT_RCDATA | 0x1e0a8 | 0x82e8 | data | English | United States | 0.11261637622344235 |
| RT_RCDATA | 0x26390 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0x263a0 | 0x150 | data | 0.8392857142857143 | ||
| RT_RCDATA | 0x264f0 | 0x2c | data | 1.2045454545454546 | ||
| RT_GROUP_ICON | 0x2651c | 0x3e | data | English | United States | 0.8387096774193549 |
| RT_VERSION | 0x2655c | 0x4f4 | data | English | United States | 0.2910094637223975 |
| RT_MANIFEST | 0x26a50 | 0x62c | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4240506329113924 |
| DLL | Import |
|---|---|
| oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
| advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
| user32.dll | GetKeyboardType, LoadStringW, MessageBoxA, CharNextW |
| kernel32.dll | GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle |
| kernel32.dll | TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW |
| user32.dll | CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW |
| kernel32.dll | WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle |
| advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW |
| comctl32.dll | InitCommonControls |
| kernel32.dll | Sleep |
| advapi32.dll | AdjustTokenPrivileges |
| Description | Data |
|---|---|
| Comments | This installation was built with Inno Setup. |
| CompanyName | Nenad Hrg (SoftwareOK.com) |
| FileDescription | DontSleep |
| FileVersion | 9.59.1.0 |
| LegalCopyright | |
| ProductName | DontSleep |
| ProductVersion | 9.59.1.0 |
| Translation | 0x0000 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Dutch | Netherlands |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T20:25:55.616045+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49686 | 104.17.112.233 | 443 | TCP |
| 2025-03-07T20:25:59.489617+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49687 | 164.132.58.105 | 443 | TCP |
- Total Packets: 20
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 20:25:47.544495106 CET | 49686 | 443 | 192.168.2.8 | 104.17.112.233 |
| Mar 7, 2025 20:25:47.544540882 CET | 443 | 49686 | 104.17.112.233 | 192.168.2.8 |
| Mar 7, 2025 20:25:47.544599056 CET | 49686 | 443 | 192.168.2.8 | 104.17.112.233 |
| Mar 7, 2025 20:25:47.548432112 CET | 49686 | 443 | 192.168.2.8 | 104.17.112.233 |
| Mar 7, 2025 20:25:47.548455954 CET | 443 | 49686 | 104.17.112.233 | 192.168.2.8 |
| Mar 7, 2025 20:25:55.615808964 CET | 443 | 49686 | 104.17.112.233 | 192.168.2.8 |
| Mar 7, 2025 20:25:55.616044998 CET | 49686 | 443 | 192.168.2.8 | 104.17.112.233 |
| Mar 7, 2025 20:25:55.620336056 CET | 49686 | 443 | 192.168.2.8 | 104.17.112.233 |
| Mar 7, 2025 20:25:55.620378971 CET | 443 | 49686 | 104.17.112.233 | 192.168.2.8 |
| Mar 7, 2025 20:25:55.620677948 CET | 443 | 49686 | 104.17.112.233 | 192.168.2.8 |
| Mar 7, 2025 20:25:55.679147005 CET | 49686 | 443 | 192.168.2.8 | 104.17.112.233 |
| Mar 7, 2025 20:25:55.685628891 CET | 49686 | 443 | 192.168.2.8 | 104.17.112.233 |
| Mar 7, 2025 20:25:55.728362083 CET | 443 | 49686 | 104.17.112.233 | 192.168.2.8 |
| Mar 7, 2025 20:25:56.400598049 CET | 443 | 49686 | 104.17.112.233 | 192.168.2.8 |
| Mar 7, 2025 20:25:56.421746016 CET | 49686 | 443 | 192.168.2.8 | 104.17.112.233 |
| Mar 7, 2025 20:25:56.519794941 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:25:56.519846916 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:25:56.519927025 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:25:56.520340919 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:25:56.520375013 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:25:59.489531994 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:25:59.489617109 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:25:59.605267048 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:25:59.605310917 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:25:59.605678082 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:25:59.624377966 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:25:59.672329903 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:26:00.444390059 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:26:00.444418907 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:26:00.444473982 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:26:00.444511890 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:26:00.444529057 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:26:00.444605112 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:26:00.446819067 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:26:00.446846008 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Mar 7, 2025 20:26:00.446856976 CET | 49687 | 443 | 192.168.2.8 | 164.132.58.105 |
| Mar 7, 2025 20:26:00.446867943 CET | 443 | 49687 | 164.132.58.105 | 192.168.2.8 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 20:25:47.497876883 CET | 55588 | 53 | 192.168.2.8 | 1.1.1.1 |
| Mar 7, 2025 20:25:47.505459070 CET | 53 | 55588 | 1.1.1.1 | 192.168.2.8 |
| Mar 7, 2025 20:25:56.441123962 CET | 57971 | 53 | 192.168.2.8 | 1.1.1.1 |
| Mar 7, 2025 20:25:56.464108944 CET | 53 | 57971 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 20:25:47.497876883 CET | 192.168.2.8 | 1.1.1.1 | 0x29c1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 7, 2025 20:25:56.441123962 CET | 192.168.2.8 | 1.1.1.1 | 0xf7d2 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 20:25:47.505459070 CET | 1.1.1.1 | 192.168.2.8 | 0x29c1 | No error (0) | 104.17.112.233 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:25:47.505459070 CET | 1.1.1.1 | 192.168.2.8 | 0x29c1 | No error (0) | 104.18.111.161 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:25:56.464108944 CET | 1.1.1.1 | 192.168.2.8 | 0xf7d2 | No error (0) | 164.132.58.105 | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:25:40 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\Desktop\plugin-newest_release_.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'640'566 bytes |
| MD5 hash: | 55708F430C572FFFE83624C57FCBE657 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 14:25:40 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'185'792 bytes |
| MD5 hash: | BE3CC5717F5951662ADB399D613F20CC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 14:25:44 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\Desktop\plugin-newest_release_.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'640'566 bytes |
| MD5 hash: | 55708F430C572FFFE83624C57FCBE657 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 14:25:44 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'185'792 bytes |
| MD5 hash: | BE3CC5717F5951662ADB399D613F20CC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 14:25:59 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbc0000 |
| File size: | 847'360 bytes |
| MD5 hash: | 6482EE0F372469D1190C74BD70D76153 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 14:25:59 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6e60e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
⊘No disassembly
