File name:

a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777

Full analysis: https://app.any.run/tasks/e79ffba0-32c9-4eb6-a893-086e04361fa3
Verdict: Malicious activity
Analysis date: November 17, 2024, 00:26:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

869366922EC1233B2FD7ADACB0CE27C3

SHA1:

8980EF4149A7B3F357F9D114735E9797CD607E84

SHA256:

A0041464EAECDB08119B38F377C919E512610307CD7F994ABA11C02112FB6777

SSDEEP:

98304:rbURABS877LVqsNkCcZOlmGiljxVjl3JZDm1bIpSHPoHNvq6Z42UgpAle7EWJwI3:+n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe (PID: 5592)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe (PID: 5592)
      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp (PID: 2620)

    • Reads the Windows owner or organization settings

      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp (PID: 2620)

    • Reads security settings of Internet Explorer

      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp (PID: 2620)

  • INFO

    • Checks supported languages

      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe (PID: 5592)
      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp (PID: 2620)
      • DontSleep_x64.exe (PID: 6044)

    • Reads the computer name

      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp (PID: 2620)
      • DontSleep_x64.exe (PID: 6044)

    • The process uses the downloaded file

      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp (PID: 2620)

    • Create files in a temporary directory

      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp (PID: 2620)
      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe (PID: 5592)

    • Process checks computer location settings

      • a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp (PID: 2620)

    • Creates files or folders in the user directory

      • DontSleep_x64.exe (PID: 6044)

    • Sends debugging messages

      • DontSleep_x64.exe (PID: 6044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (51.8)
.exe | InstallShield setup (20.3)
.exe | Win32 EXE PECompact compressed (generic) (19.6)
.dll | Win32 Dynamic Link Library (generic) (3.1)
.exe | Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:02:11 18:13:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 37888
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 9.59.1.0
ProductVersionNumber: 9.59.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Nenad Hrg (SoftwareOK.com)
FileDescription: DontSleep
FileVersion: 9.59.1.0
LegalCopyright:
OriginalFileName:
ProductName: DontSleep
ProductVersion: 9.59.1.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp dontsleep_x64.exe

Process information

PID
CMD
Path
Indicators
Parent process
2620"C:\Users\admin\AppData\Local\Temp\is-GPGO3.tmp\a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp" /SL5="$8023E,1465419,721408,C:\Users\admin\Desktop\a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe" C:\Users\admin\AppData\Local\Temp\is-GPGO3.tmp\a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp
a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-gpgo3.tmp\a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
5592"C:\Users\admin\Desktop\a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe" C:\Users\admin\Desktop\a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe
explorer.exe
User:
admin
Company:
Nenad Hrg (SoftwareOK.com)
Integrity Level:
MEDIUM
Description:
DontSleep
Exit code:
1
Version:
9.59.1.0
Modules
Images
c:\users\admin\desktop\a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6044"C:\Users\admin\AppData\Local\Temp\is-HSJ20.tmp\DontSleep_x64.exe" C:\Users\admin\AppData\Local\Temp\is-HSJ20.tmp\DontSleep_x64.exe
a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmp
User:
admin
Company:
Nenad Hrg (SoftwareOK.com)
Integrity Level:
MEDIUM
Description:
Don't Sleep
Version:
9.59.1.0
Modules
Images
c:\users\admin\appdata\local\temp\is-hsj20.tmp\dontsleep_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
913
Read events
908
Write events
5
Delete events
0

Modification events

(PID) Process:(6044) DontSleep_x64.exeKey:HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0
Operation:writeName:GUID
Value:
90B216967AA4EF118001444553540000
(PID) Process:(6044) DontSleep_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Version
Value:
0A050000
(PID) Process:(6044) DontSleep_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Name
Value:
DONTSLEEP_X64.EXE
(PID) Process:(6044) DontSleep_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Id
Value:
DONTSLEEP_X64.EXE67014C9400081908
(PID) Process:(6044) DontSleep_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:MostRecentStart
Value:
8E986C588738DB01
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2620a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmpC:\Users\admin\AppData\Local\Temp\is-HSJ20.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5592a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.exeC:\Users\admin\AppData\Local\Temp\is-GPGO3.tmp\a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmpexecutable
MD5:797B09E2DCF988B4320DDCDD4CB936F0
SHA256:1A93F3E99AFAE583E7AD643C3A0850E7136CF727C6DEAD288F482214837F9B4C
2620a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmpC:\Users\admin\AppData\Local\Temp\is-HSJ20.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
6044DontSleep_x64.exeC:\Users\admin\AppData\Roaming\DontSleep\DontSleep.initext
MD5:71BFA4B1B2A2049BEFA50A86463A014F
SHA256:A4683279940CA2EA6C25B63F07F41D7E2EAB4AC3246FF57C8C771E7C923ABD29
2620a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777.tmpC:\Users\admin\AppData\Local\Temp\is-HSJ20.tmp\DontSleep_x64.exeexecutable
MD5:8D0EEBD8F9083EE140B42321C1DC6FE5
SHA256:A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
27
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1752
RUXIMICS.exe
GET
200
184.24.77.23:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.24.77.23:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.24.77.23:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1752
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1752
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.32:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
184.24.77.23:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1752
RUXIMICS.exe
184.24.77.23:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.24.77.23:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 92.123.104.32
  • 92.123.104.38
  • 92.123.104.34
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 184.24.77.23
  • 184.24.77.6
  • 184.24.77.42
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted

Threats

No threats detected
Process
Message
DontSleep_x64.exe
Set-Img
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777