Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1587694
MD5:8f195e5120614a9e3a734e496e1cc08f
SHA1:e9cf4b56a535222a7e3755d4bcc1705aca7c15de
SHA256:319a04d9599da49736e379f99d5dbabfc42f037b6e9b75db328bf05f37db7ae1
Infos:

Detection

Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Loading BitLocker PowerShell Module
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suspicious powershell command line found
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64_ra
  • Setup.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 8F195E5120614A9E3A734E496E1CC08F)
    • chrome.exe (PID: 7116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid= MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
      • chrome.exe (PID: 6180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1864,i,6811724821742435092,4060110425535167665,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • SetupEngine.exe (PID: 5764 cmdline: "C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe" /fcid /instdir C:\Program Files (x86)\Fast! /startup 1 MD5: AC411F56C2DD288E58B1D0F02FE441D6)
      • powershell.exe (PID: 1652 cmdline: powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2736 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
      • cmd.exe (PID: 2152 cmdline: cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • diskspd.exe (PID: 1952 cmdline: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp MD5: FC41CABDD3C18079985AC5F648F58A90)
  • rundll32.exe (PID: 788 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force", CommandLine: powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force", CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe" /fcid /instdir C:\Program Files (x86)\Fast! /startup 1, ParentImage: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe, ParentProcessId: 5764, ParentProcessName: SetupEngine.exe, ProcessCommandLine: powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force", ProcessId: 1652, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Setup.exeReversingLabs: Detection: 34%
Source: Setup.exeVirustotal: Detection: 20%Perma Link
Source: https://veryfast.io/installing2.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=HTTP Parser: No favicon
Source: https://veryfast.io/installing2.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=HTTP Parser: No favicon
Source: https://veryfast.io/installing2.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=HTTP Parser: No favicon
Source: https://veryfast.io/installing2.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=HTTP Parser: No favicon
Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Setup.exeStatic PE information: certificate valid
Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\zak\Downloads\Inetc\Unicode\Plugins\inetc.pdb source: inetc.dll.0.dr, inetc.dll.21.dr
Source: Binary string: z:\rs1.obj.x86fre\sdktools\srvperf\diskspd.oss\cmdrequestcreator\objfre\i386\diskspd.pdb source: diskspd.exe, 0000001B.00000000.2261110691.0000000000861000.00000020.00000001.01000000.0000001B.sdmp, diskspd.exe.21.dr
Source: Binary string: z:\rs1.obj.x86fre\sdktools\srvperf\diskspd.oss\cmdrequestcreator\objfre\i386\diskspd.pdbGCTL source: diskspd.exe, 0000001B.00000000.2261110691.0000000000861000.00000020.00000001.01000000.0000001B.sdmp, diskspd.exe.21.dr
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Local\Temp\~DFE6F2E36413145217.TMPJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox ViewIP Address: 161.35.127.181 161.35.127.181
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SetupEngine.exe, 00000015.00000002.2320546318.000000000040A000.00000004.00000001.01000000.00000012.sdmp, diskspd.exe.21.drString found in binary or memory: http://corppki/aia/MSIT%20Test%20CodeSign%20CA%203(1).crt0V
Source: SetupEngine.exe, 00000015.00000002.2320546318.000000000040A000.00000004.00000001.01000000.00000012.sdmp, diskspd.exe.21.drString found in binary or memory: http://corppki/crl/MSIT%20Test%20CodeSign%20CA%203(1).crl
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup.exe, SetupEngine.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000016.00000002.2236894324.00000000049F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Setup.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000016.00000002.2236894324.00000000049F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2234966566.0000000000958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVI
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4iaVI
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4jaVI
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4kaVI
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4saVI
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4taVI
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVI
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4vaVI
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5OaVI
Source: chromecache_105.4.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5caVI
Source: powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.2234966566.0000000000958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsofM
Source: powershell.exe, 00000016.00000002.2234966566.0000000000958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsofMSFT_NetAdapterStatistics.Format.ps1xml
Source: powershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: Setup.exe, 00000000.00000002.2192913555.0000000004D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repcdn.veryfast.io/
Source: Setup.exe, 00000000.00000003.2177971997.0000000000603000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2191793619.0000000000602000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2131050818.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repcdn.veryfast.io//
Source: Setup.exe, 00000000.00000002.2192913555.0000000004DBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repcdn.veryfast.io/download/2.353/SetupEngine.exe
Source: Setup.exe, 00000000.00000003.2165997387.0000000004E17000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1088365969.0000000004DD3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1182727611.0000000004DDA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1232056157.0000000004E17000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1182708490.0000000004E03000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1089480388.0000000004D97000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2192913555.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, SetupEngine.exe, 00000015.00000002.2322531096.000000000083C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/
Source: Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/00%)
Source: Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/7750kB
Source: Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/?p=lp_veryfast_privacy_r1&guid=0x408
Source: Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/?p=lp_veryfast_tos_r1&guid=
Source: SetupEngine.exe, 00000015.00000003.2185888099.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, SetupEngine.exe, 00000015.00000002.2322531096.000000000083C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/J
Source: Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/download.php?engine=1&guid=
Source: Setup.exe, 00000000.00000002.2192913555.0000000004DAE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2191351597.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/download.php?engine=1&guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=&mini_ver=
Source: Setup.exe, 00000000.00000002.2191508951.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2190375616.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2131050818.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178236560.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/inst_cpg.php?src=fast_mini&guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=&vers
Source: SetupEngine.exe, 00000015.00000002.2322531096.0000000000790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installed.php?guid=
Source: Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=
Source: Setup.exe, 00000000.00000003.1186697778.0000000004E17000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178236560.00000000005D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=
Source: Setup.exe, 00000000.00000003.1186697778.0000000004E17000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178172838.0000000004E1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=5
Source: Setup.exe, 00000000.00000003.2131050818.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2190083624.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178236560.00000000005D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=:O
Source: Setup.exe, 00000000.00000003.1186697778.0000000004E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=I)
Source: Setup.exe, 00000000.00000003.2131050818.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2190083624.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178236560.00000000005D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=IN
Source: Setup.exe, 00000000.00000003.1186697778.0000000004E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=M
Source: Setup.exe, 00000000.00000003.2131050818.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2190083624.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178236560.00000000005D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=SO
Source: Setup.exe, 00000000.00000002.2190590512.0000000000438000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=Select6
Source: Setup.exe, 00000000.00000003.1186828765.0000000004DF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=T-
Source: Setup.exe, 00000000.00000003.1186828765.0000000004DE9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2192913555.0000000004DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=_
Source: Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=l
Source: Setup.exe, 00000000.00000003.1186529533.00000000005F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=o
Source: Setup.exe, 00000000.00000003.2189913426.0000000004E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/m
Source: Setup.exe, 00000000.00000003.1089480388.0000000004D97000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2192913555.0000000004D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/o
Source: SetupEngine.exe, 00000015.00000002.2322531096.0000000000790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/pixel.gif?guid=
Source: Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/pixel.gif?guid=&version=&evt_src=installer&evt_action=cancel
Source: Setup.exe, 00000000.00000002.2192913555.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1232056157.0000000004E24000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2192913555.0000000004DBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/pixel.gif?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=&evt_src=installer&evt
Source: SetupEngine.exe, 00000015.00000002.2322531096.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/pixel.gif?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=&version=2.353&evt_src
Source: Setup.exe, 00000000.00000003.1092826854.0000000004DD4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1088365969.0000000004DD3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1182727611.0000000004DDA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1175894494.0000000004DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/q
Source: SetupEngine.exe, 00000015.00000002.2322531096.0000000000790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/register.php?guid=
Source: SetupEngine.exe, 00000015.00000003.2185888099.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, SetupEngine.exe, 00000015.00000002.2322531096.000000000083C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://veryfast.io/x
Source: Setup.exe, 00000000.00000002.2190590512.0000000000416000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGraphicalInstaller.dllX vs Setup.exe
Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal45.evad.winEXE@27/49@0/15
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Program Files (x86)\Fast!Jump to behavior
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\FAST!Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_03
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nswEB00.tmpJump to behavior
Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: Setup.exeReversingLabs: Detection: 34%
Source: Setup.exeVirustotal: Detection: 20%
Source: Setup.exeString found in binary or memory: www.graphical-installer.com
Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1864,i,6811724821742435092,4060110425535167665,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe "C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe" /fcid /instdir C:\Program Files (x86)\Fast! /startup 1
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xml
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=Jump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe "C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe" /fcid /instdir C:\Program Files (x86)\Fast! /startup 1Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1864,i,6811724821742435092,4060110425535167665,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force"Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xmlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.tempJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: asycfilt.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: asycfilt.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Google Drive.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Setup.exeStatic PE information: certificate valid
Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\zak\Downloads\Inetc\Unicode\Plugins\inetc.pdb source: inetc.dll.0.dr, inetc.dll.21.dr
Source: Binary string: z:\rs1.obj.x86fre\sdktools\srvperf\diskspd.oss\cmdrequestcreator\objfre\i386\diskspd.pdb source: diskspd.exe, 0000001B.00000000.2261110691.0000000000861000.00000020.00000001.01000000.0000001B.sdmp, diskspd.exe.21.dr
Source: Binary string: z:\rs1.obj.x86fre\sdktools\srvperf\diskspd.oss\cmdrequestcreator\objfre\i386\diskspd.pdbGCTL source: diskspd.exe, 0000001B.00000000.2261110691.0000000000861000.00000020.00000001.01000000.0000001B.sdmp, diskspd.exe.21.dr

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force"
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force"Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile created: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\GraphicalInstaller.dllJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile created: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exeJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile created: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\Banner.dllJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile created: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\GraphicalInstaller.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\Math.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\inetc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile created: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\inetc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile created: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\Math.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\nsJSON.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\nsDialogs.dllJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2545Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7267Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\GraphicalInstaller.dllJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\Banner.dllJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\GraphicalInstaller.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\Math.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\inetc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\inetc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\Math.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\nsJSON.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswEB01.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe TID: 5940Thread sleep count: 55 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe TID: 5940Thread sleep count: 53 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1488Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Local\Temp\~DFE6F2E36413145217.TMPJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: SetupEngine.exe.0.drBinary or memory string: 1Z-hgFS
Source: powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: Setup.exe, 00000000.00000003.2190083624.00000000005C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware%2C+Inc%2Ekl
Source: Setup.exe, 00000000.00000002.2191508951.00000000005CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
Source: powershell.exe, 00000016.00000002.2234966566.0000000000958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
Source: powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: Setup.exe, 00000000.00000003.1089480388.0000000004D97000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2192913555.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1186529533.000000000060C000.00000004.00000020.00020000.00000000.sdmp, SetupEngine.exe, 00000015.00000003.2185888099.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, SetupEngine.exe, 00000015.00000002.2322531096.000000000083C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: SetupEngine.exe, 00000015.00000002.2322531096.00000000007E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxI
Source: Setup.exe, 00000000.00000002.2192913555.0000000004D73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "pc_vendor":"VMware%2C+Inc%2E",
Source: powershell.exe, 00000016.00000002.2234966566.0000000000958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\user\Desktop\Setup.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force"Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xmlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.tempJump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "register-scheduledtask fast_task -inputobject (new-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files (x86)\fast!\fast!.exe') -principal (new-scheduledtaskprincipal -userid ($env:userdomain + '\' + $env:username) -runlevel highest) -settings (new-scheduledtasksettingsset -multipleinstances queue -allowstartifonbatteries -dontstopifgoingonbatteries)) -force"
Source: C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "register-scheduledtask fast_task -inputobject (new-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files (x86)\fast!\fast!.exe') -principal (new-scheduledtaskprincipal -userid ($env:userdomain + '\' + $env:username) -runlevel highest) -settings (new-scheduledtasksettingsset -multipleinstances queue -allowstartifonbatteries -dontstopifgoingonbatteries)) -force"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts141
Windows Management Instrumentation		1
Registry Run Keys / Startup Folder		11
Process Injection		2
Masquerading		OS Credential Dumping131
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		141
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager141
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Rundll32		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials132
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1587694 Sample: Setup.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 45 70 Multi AV Scanner detection for submitted file 2->70 8 Setup.exe 65 2->8         started        13 rundll32.exe 2->13         started        process3 dnsIp4 58 169.150.255.180 SPIRITTEL-ASUS United States 8->58 60 165.227.204.94 DIGITALOCEAN-ASNUS United States 8->60 38 C:\Users\user\AppData\...\SetupEngine.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\nsJSON.dll, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 8->42 dropped 44 5 other files (none is malicious) 8->44 dropped 74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->74 15 SetupEngine.exe 64 8->15         started        19 chrome.exe 9 8->19         started        file5 signatures6 process7 dnsIp8 46 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 15->46 dropped 48 C:\Users\user\AppData\Local\...\inetc.dll, PE32 15->48 dropped 50 C:\Users\user\AppData\Local\...\System.dll, PE32 15->50 dropped 52 3 other files (none is malicious) 15->52 dropped 68 Suspicious powershell command line found 15->68 22 powershell.exe 37 15->22         started        25 cmd.exe 2 15->25         started        54 192.168.2.17 unknown unknown 19->54 56 239.255.255.250 unknown Reserved 19->56 27 chrome.exe 19->27         started        file9 signatures10 process11 dnsIp12 72 Loading BitLocker PowerShell Module 22->72 30 WmiPrvSE.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 25->34         started        36 diskspd.exe 2 25->36         started        62 169.150.255.183 SPIRITTEL-ASUS United States 27->62 64 37.19.194.81 INTERTELECOMUA Ukraine 27->64 66 9 other IPs or domains 27->66 signatures13 process14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Setup.exe35%ReversingLabs
Setup.exe21%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe8%ReversingLabs
C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\GraphicalInstaller.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\Math.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\inetc.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswEB01.tmp\Banner.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswEB01.tmp\GraphicalInstaller.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswEB01.tmp\Math.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswEB01.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswEB01.tmp\inetc.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswEB01.tmp\nsDialogs.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nswEB01.tmp\nsJSON.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://repcdn.veryfast.io/0%Avira URL Cloudsafe
http://corppki/crl/MSIT%20Test%20CodeSign%20CA%203(1).crl0%Avira URL Cloudsafe
https://repcdn.veryfast.io//0%Avira URL Cloudsafe
https://go.microsofM0%Avira URL Cloudsafe
https://go.microsofMSFT_NetAdapterStatistics.Format.ps1xml0%Avira URL Cloudsafe
http://corppki/aia/MSIT%20Test%20CodeSign%20CA%203(1).crt0V0%Avira URL Cloudsafe
https://repcdn.veryfast.io/download/2.353/SetupEngine.exe0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://veryfast.io/installing2.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=false
    		high
    https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=false
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=I)Setup.exe, 00000000.00000003.1186697778.0000000004E17000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://veryfast.io/download.php?engine=1&guid=Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://go.microsofMpowershell.exe, 00000016.00000002.2234966566.0000000000958000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://veryfast.io/Setup.exe, 00000000.00000003.2165997387.0000000004E17000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1088365969.0000000004DD3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1182727611.0000000004DDA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1232056157.0000000004E17000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1182708490.0000000004E03000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1089480388.0000000004D97000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2192913555.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, SetupEngine.exe, 00000015.00000002.2322531096.000000000083C000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://veryfast.io/pixel.gif?guid=&version=&evt_src=installer&evt_action=cancelSetup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=Select6Setup.exe, 00000000.00000002.2190590512.0000000000438000.00000004.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://go.microsofMSFT_NetAdapterStatistics.Format.ps1xmlpowershell.exe, 00000016.00000002.2234966566.0000000000958000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://repcdn.veryfast.io/download/2.353/SetupEngine.exeSetup.exe, 00000000.00000002.2192913555.0000000004DBE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore6powershell.exe, 00000016.00000002.2236894324.00000000049F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://veryfast.io/installing.html?guid=Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://veryfast.io/JSetupEngine.exe, 00000015.00000003.2185888099.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, SetupEngine.exe, 00000015.00000002.2322531096.000000000083C000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://repcdn.veryfast.io/Setup.exe, 00000000.00000002.2192913555.0000000004D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://veryfast.io/oSetup.exe, 00000000.00000003.1089480388.0000000004D97000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2192913555.0000000004D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=T-Setup.exe, 00000000.00000003.1186828765.0000000004DF9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=SOSetup.exe, 00000000.00000003.2131050818.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2190083624.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178236560.00000000005D0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://veryfast.io/mSetup.exe, 00000000.00000003.2189913426.0000000004E17000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=oSetup.exe, 00000000.00000003.1186529533.00000000005F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://veryfast.io/qSetup.exe, 00000000.00000003.1092826854.0000000004DD4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1088365969.0000000004DD3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1182727611.0000000004DDA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1175894494.0000000004DDB000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=lSetup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://veryfast.io/00%)Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://veryfast.io/xSetupEngine.exe, 00000015.00000003.2185888099.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, SetupEngine.exe, 00000015.00000002.2322531096.000000000083C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://veryfast.io/pixel.gif?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=&version=2.353&evt_srcSetupEngine.exe, 00000015.00000002.2322531096.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=_Setup.exe, 00000000.00000003.1186828765.0000000004DE9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2192913555.0000000004DE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000016.00000002.2236894324.00000000049F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=:OSetup.exe, 00000000.00000003.2131050818.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2190083624.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178236560.00000000005D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://nuget.org/NuGet.exepowershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2234966566.0000000000958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://repcdn.veryfast.io//Setup.exe, 00000000.00000003.2177971997.0000000000603000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2191793619.0000000000602000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2131050818.0000000000603000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://corppki/aia/MSIT%20Test%20CodeSign%20CA%203(1).crt0VSetupEngine.exe, 00000015.00000002.2320546318.000000000040A000.00000004.00000001.01000000.00000012.sdmp, diskspd.exe.21.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://veryfast.io/inst_cpg.php?src=fast_mini&guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=&versSetup.exe, 00000000.00000002.2191508951.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2190375616.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2131050818.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178236560.00000000005B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=MSetup.exe, 00000000.00000003.1186697778.0000000004E17000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://veryfast.io/pixel.gif?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=&evt_src=installer&evtSetup.exe, 00000000.00000002.2192913555.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1232056157.0000000004E24000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2192913555.0000000004DBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contoso.com/Iconpowershell.exe, 00000016.00000002.2240114617.0000000005A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://veryfast.io/download.php?engine=1&guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=&mini_ver=Setup.exe, 00000000.00000002.2192913555.0000000004DAE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2191351597.00000000005A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://nsis.sf.net/NSIS_ErrorErrorSetup.exe, SetupEngine.exe.0.drfalse
                                                                            		high
                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://veryfast.io/?p=lp_veryfast_privacy_r1&guid=0x408Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://corppki/crl/MSIT%20Test%20CodeSign%20CA%203(1).crlSetupEngine.exe, 00000015.00000002.2320546318.000000000040A000.00000004.00000001.01000000.00000012.sdmp, diskspd.exe.21.drfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=5Setup.exe, 00000000.00000003.1186697778.0000000004E17000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178172838.0000000004E1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://veryfast.io/?p=lp_veryfast_tos_r1&guid=Setup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000016.00000002.2236894324.0000000004B2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=INSetup.exe, 00000000.00000003.2131050818.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2190083624.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2178236560.00000000005D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://veryfast.io/register.php?guid=SetupEngine.exe, 00000015.00000002.2322531096.0000000000790000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://veryfast.io/installed.php?guid=SetupEngine.exe, 00000015.00000002.2322531096.0000000000790000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://veryfast.io/pixel.gif?guid=SetupEngine.exe, 00000015.00000002.2322531096.0000000000790000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://veryfast.io/7750kBSetup.exe, 00000000.00000002.2191071960.000000000055A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                142.250.186.46
                                                                                                		unknownUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                1.1.1.1
                                                                                                		unknownAustralia
                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                108.177.15.84
                                                                                                		unknownUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                216.58.212.138
                                                                                                		unknownUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                142.250.185.227
                                                                                                		unknownUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                165.227.204.94
                                                                                                		unknownUnited States
                                                                                                		14061DIGITALOCEAN-ASNUSfalse
                                                                                                239.255.255.250
                                                                                                		unknownReserved
                                                                                                		unknownunknownfalse
                                                                                                142.250.185.142
                                                                                                		unknownUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                142.250.185.164
                                                                                                		unknownUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                161.35.127.181
                                                                                                		unknownUnited States
                                                                                                		14061DIGITALOCEAN-ASNUSfalse
                                                                                                169.150.255.183
                                                                                                		unknownUnited States
                                                                                                		2711SPIRITTEL-ASUSfalse
                                                                                                37.19.194.81
                                                                                                		unknownUkraine
                                                                                                		31343INTERTELECOMUAfalse
                                                                                                142.250.186.99
                                                                                                		unknownUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                169.150.255.180
                                                                                                		unknownUnited States
                                                                                                		2711SPIRITTEL-ASUSfalse

                                                                                                Private

                                                                                                IP
                                                                                                192.168.2.17

                                                                                                General Information

                                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                                Analysis ID:1587694
                                                                                                Start date and time:2025-01-10 15:56:50 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 6m 34s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:28
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:Setup.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal45.evad.winEXE@27/49@0/15
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Skipping network analysis since amount of network traffic is too extensive

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                09:58:41API Interceptor66x Sleep call for process: Setup.exe modified
                                                                                                09:59:16API Interceptor24x Sleep call for process: powershell.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                1.1.1.1watchdog.elfGet hashmaliciousXmrigBrowse
                                                                                                • 1.1.1.1:8080/
                                                                                                6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                                                • 1.1.1.1/ctrl/playback.php
                                                                                                PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                                                                                                AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                                                                                                • 1.1.1.1/
                                                                                                INVOICE_90990_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
                                                                                                Go.exeGet hashmaliciousUnknownBrowse
                                                                                                • 1.1.1.1/
                                                                                                239.255.255.250https://eu.boxif.xyzGet hashmaliciousUnknownBrowse
                                                                                                  http://www.lpb.gov.lrGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                    https://samantacatering.com/Get hashmaliciousUnknownBrowse
                                                                                                      https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                                                                                                        https://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
                                                                                                          http://arpaeq.caGet hashmaliciousUnknownBrowse
                                                                                                            https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
                                                                                                              https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
                                                                                                                https://red.travelglobeimmigration.comGet hashmaliciousUnknownBrowse
                                                                                                                  http://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
                                                                                                                    161.35.127.181https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwEGet hashmaliciousUnknownBrowse
                                                                                                                      Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                        Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                          Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                            SetupEngine.exeGet hashmaliciousUnknownBrowse
                                                                                                                              https://veryfast.ioGet hashmaliciousUnknownBrowse
                                                                                                                                https://veryfast.ioGet hashmaliciousUnknownBrowse
                                                                                                                                  https://macdownload.informer.com/osx-fiery-master-installer/Get hashmaliciousUnknownBrowse
                                                                                                                                    9c23f857-b0b9-47d6-b664-47a3132066f4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      9c23f857-b0b9-47d6-b664-47a3132066f4.exeGet hashmaliciousUnknownBrowse

                                                                                                                                        Domains

                                                                                                                                        No context

                                                                                                                                        ASNs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        CLOUDFLARENETUShttps://eu.boxif.xyzGet hashmaliciousUnknownBrowse
                                                                                                                                        • 1.1.1.1
                                                                                                                                        7DpzcPcsTS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                        • 172.67.74.152
                                                                                                                                        B8FnDUj8hy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                        • 104.26.13.205
                                                                                                                                        B3aqD8srjF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                        • 104.21.48.1
                                                                                                                                        FSRHC6mB16.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                        • 172.67.74.152
                                                                                                                                        9pIm5d0rsW.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                                                        • 104.26.13.205
                                                                                                                                        B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        • 104.21.32.1
                                                                                                                                        VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                        • 104.21.80.1
                                                                                                                                        VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                        • 172.67.74.152
                                                                                                                                        bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                        • 104.21.80.1
                                                                                                                                        DIGITALOCEAN-ASNUShttps://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                        • 165.22.210.101
                                                                                                                                        http://www.jmclmedia.phGet hashmaliciousUnknownBrowse
                                                                                                                                        • 206.189.225.178
                                                                                                                                        5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 157.245.182.61
                                                                                                                                        https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2BpuOeo6wXhYyQnN5Dmhl9EwD4jJy2QucAxD5PJ8TFaAtq5-2Fa2JLywFyD22uAsFmhYjQLp65IuicFXReMolU22hvgQ-2B1S2bacC3gnzhuRxI8SAkOsPFFxOcYEiSSZTqVyp3m1OxPmLRrTi1o5-2FZom3YCyV1EUto77Rrvablg0dLCkGGW0ncnt-2B7IgK6LBBZRD7ITvGmpDjZtTYsz0I1qKiLzZdNfmubxarfJC5-2BcEqOw-2Ft-2FbdrugnVMUWHAHioUxjwvqr4QWKZSVt-2BeoNRvP2Adsk-2FRWXyTy-2FNsOG5tm8W5iiSHTNAe6b2ve-2F-2FMif4OPRLC2jk2zIHDBodMQqimJe7S-2B0c0a6VcurrTf-2BSSIJw1siTQylKaBjy96o6v7aWNACMPOJmDH5ybp8Hfg60OUEGx1ZLebRMpxX9k9AP7u40PlQ7YN0etELZUsiTbXY4PcX2P96RfnnTH8k4gdprbyM68BwIDNXqkSpWupXgXawXvLifC6eFYgMzHs5EFbgb5u6HEHo2__tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcL7zwYzcSR3guHWoKhXDu5EQ7SXJZpci4hCmpp1REa7W1YXEAS6JqnE9LrlFK998LZ271LMIRubQetxBOsHxh3FfsHQej0U45DqU0JnGYKUA9waD6Ny-2BL9vchurlVMDvBupSQHaqHAKs87lmzkMbvNLGI-2BMPx7o1UJrTBuhk-2BVx-2FdFVsZL4Uf2HUcBJTS73hyiGet hashmaliciousUnknownBrowse
                                                                                                                                        • 64.227.64.62
                                                                                                                                        https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DrgFz_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLui8UPBZcrEcBQ64UpH2s9-2FDpSu9qfcgYFRQKTYsD5OOP7p7kgdevUOf60UO0BtzRorOOVdIMlEbf0g38VGeCmtkP8At2J-2BxKEtoZ2O48KqLdUMGUmxH4Esb-2BPRc25uZJoq4Qo0YWw9j31285luIdhLwnz-2B9RfofSABy36tB5aPmDcVeLn5C5N5AJkqjfepa6Get hashmaliciousUnknownBrowse
                                                                                                                                        • 188.166.17.21
                                                                                                                                        armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 178.62.201.116
                                                                                                                                        https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgBe3vvPhUi3NCctiT7ICCnQ-2FY8o5rhg4URlGJ-2FvsNaBLrMZH2YOUKWM-2BCE-2FXqUBn4SuSDNO43ZHONlcfV0u69WPaY48i3uh3m8lqIzkUcMcKGiml1g6PtP2N9Fq73ADmecSkBDQ1wDesGGu-2Bg3LC1PY31AnFBjTo5itfBoUzfV1y-2FNuV7ub4JBfgFfFwbfDCVw04z2QHPGmvaTuYBRiOw1Tpn5jhya1bpe-2FZKFIvw6DpoIa015fiQnAkr21qCIGDz3kcWaHiPPoAcEbgrIJQtXRwdHoKOAHjnLbHeTfYxioE2jQ-2BKzgO6L-2FLiLt79tmJXX2KYx8D6DTv7nI91sFKT8dXMJM0DazaslrneD4lIUneNyaGARqqUVvrSB7-2BzgxAL-2FuXFyd1qjf-2FnnaV5h661BgCBEWKyZBkPjSGhvc635VlrPtfR5g3T0pDVRqQ8o-2Fg4-3DfYwI_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419PER4av1iPHZIu7rMCH4g59O-2FpVm-2BPXLGfx0fQIDbM830SEyalx7CL7LS5G2wzbNPhsJ2FagkVeT-2FvL4PXhjlJE5YFKw59He2Ja9QVSEHwhUEJm-2BBDxFee6A4QFWAIxMlxI8kis-2B4bFFLDszJAKx313jD-2F4FRd82vUXuacU2lSKZ4Ah2gmv6sbaeoxYrNwq4bbw0e0DJ7EzH1nxfqSXJpTzGet hashmaliciousUnknownBrowse
                                                                                                                                        • 64.227.64.62
                                                                                                                                        3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 157.230.180.162
                                                                                                                                        https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 162.243.189.2
                                                                                                                                        http://hikingandadventures.com/inv/Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                                                                                        • 165.227.159.34
                                                                                                                                        DIGITALOCEAN-ASNUShttps://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                        • 165.22.210.101
                                                                                                                                        http://www.jmclmedia.phGet hashmaliciousUnknownBrowse
                                                                                                                                        • 206.189.225.178
                                                                                                                                        5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 157.245.182.61
                                                                                                                                        https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2BpuOeo6wXhYyQnN5Dmhl9EwD4jJy2QucAxD5PJ8TFaAtq5-2Fa2JLywFyD22uAsFmhYjQLp65IuicFXReMolU22hvgQ-2B1S2bacC3gnzhuRxI8SAkOsPFFxOcYEiSSZTqVyp3m1OxPmLRrTi1o5-2FZom3YCyV1EUto77Rrvablg0dLCkGGW0ncnt-2B7IgK6LBBZRD7ITvGmpDjZtTYsz0I1qKiLzZdNfmubxarfJC5-2BcEqOw-2Ft-2FbdrugnVMUWHAHioUxjwvqr4QWKZSVt-2BeoNRvP2Adsk-2FRWXyTy-2FNsOG5tm8W5iiSHTNAe6b2ve-2F-2FMif4OPRLC2jk2zIHDBodMQqimJe7S-2B0c0a6VcurrTf-2BSSIJw1siTQylKaBjy96o6v7aWNACMPOJmDH5ybp8Hfg60OUEGx1ZLebRMpxX9k9AP7u40PlQ7YN0etELZUsiTbXY4PcX2P96RfnnTH8k4gdprbyM68BwIDNXqkSpWupXgXawXvLifC6eFYgMzHs5EFbgb5u6HEHo2__tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcL7zwYzcSR3guHWoKhXDu5EQ7SXJZpci4hCmpp1REa7W1YXEAS6JqnE9LrlFK998LZ271LMIRubQetxBOsHxh3FfsHQej0U45DqU0JnGYKUA9waD6Ny-2BL9vchurlVMDvBupSQHaqHAKs87lmzkMbvNLGI-2BMPx7o1UJrTBuhk-2BVx-2FdFVsZL4Uf2HUcBJTS73hyiGet hashmaliciousUnknownBrowse
                                                                                                                                        • 64.227.64.62
                                                                                                                                        https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DrgFz_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLui8UPBZcrEcBQ64UpH2s9-2FDpSu9qfcgYFRQKTYsD5OOP7p7kgdevUOf60UO0BtzRorOOVdIMlEbf0g38VGeCmtkP8At2J-2BxKEtoZ2O48KqLdUMGUmxH4Esb-2BPRc25uZJoq4Qo0YWw9j31285luIdhLwnz-2B9RfofSABy36tB5aPmDcVeLn5C5N5AJkqjfepa6Get hashmaliciousUnknownBrowse
                                                                                                                                        • 188.166.17.21
                                                                                                                                        armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 178.62.201.116
                                                                                                                                        https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgBe3vvPhUi3NCctiT7ICCnQ-2FY8o5rhg4URlGJ-2FvsNaBLrMZH2YOUKWM-2BCE-2FXqUBn4SuSDNO43ZHONlcfV0u69WPaY48i3uh3m8lqIzkUcMcKGiml1g6PtP2N9Fq73ADmecSkBDQ1wDesGGu-2Bg3LC1PY31AnFBjTo5itfBoUzfV1y-2FNuV7ub4JBfgFfFwbfDCVw04z2QHPGmvaTuYBRiOw1Tpn5jhya1bpe-2FZKFIvw6DpoIa015fiQnAkr21qCIGDz3kcWaHiPPoAcEbgrIJQtXRwdHoKOAHjnLbHeTfYxioE2jQ-2BKzgO6L-2FLiLt79tmJXX2KYx8D6DTv7nI91sFKT8dXMJM0DazaslrneD4lIUneNyaGARqqUVvrSB7-2BzgxAL-2FuXFyd1qjf-2FnnaV5h661BgCBEWKyZBkPjSGhvc635VlrPtfR5g3T0pDVRqQ8o-2Fg4-3DfYwI_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419PER4av1iPHZIu7rMCH4g59O-2FpVm-2BPXLGfx0fQIDbM830SEyalx7CL7LS5G2wzbNPhsJ2FagkVeT-2FvL4PXhjlJE5YFKw59He2Ja9QVSEHwhUEJm-2BBDxFee6A4QFWAIxMlxI8kis-2B4bFFLDszJAKx313jD-2F4FRd82vUXuacU2lSKZ4Ah2gmv6sbaeoxYrNwq4bbw0e0DJ7EzH1nxfqSXJpTzGet hashmaliciousUnknownBrowse
                                                                                                                                        • 64.227.64.62
                                                                                                                                        3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 157.230.180.162
                                                                                                                                        https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 162.243.189.2
                                                                                                                                        http://hikingandadventures.com/inv/Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                                                                                        • 165.227.159.34

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        No context

                                                                                                                                        Dropped Files

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exehttps://veryfast.ioGet hashmaliciousUnknownBrowse
                                                                                                                                          9c23f857-b0b9-47d6-b664-47a3132066f4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            9c23f857-b0b9-47d6-b664-47a3132066f4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                              Setup (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                Setup (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  Setup (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    SetupFA.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      Setup 2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        SetupFA.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                          SetupFA.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):130816024
                                                                                                                                                            Entropy (8bit):7.997751892073086
                                                                                                                                                            Encrypted:true
                                                                                                                                                            SSDEEP:3145728:Ism4EkXPikhk8/f6smzMPLgQrY0Z/oE7e39wWrUd2Ym8y7rzGqAQPi:8wXP5lQcLgKBBq3Yd2YmV7rzGzQPi
                                                                                                                                                            MD5:AC411F56C2DD288E58B1D0F02FE441D6
                                                                                                                                                            SHA1:4FE4D611737AC38AB0740817460098F78A811EF5
                                                                                                                                                            SHA-256:BDE4E4028A5CCD7386D9491287CE327EEF568513A8DE3EE4330C54B189C2E8FC
                                                                                                                                                            SHA-512:E83602A4E01ADA1B1D1D6252E860F6178524B9C5B42A93891F74E8A627BC07F3FCED54AB0309CEE895280FDCF0F9BF1C01782C1523051A0783952731245E953B
                                                                                                                                                            Malicious:true
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................................@..........................................p..HK..............h)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...HK...p...L..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):144688
                                                                                                                                                            Entropy (8bit):6.667845757025275
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:4YRHFhhMmofU98VLVFqZ3/FnKk2vlQBOJ2LcjNal+laLMQ03hc3J2tjF6+hjIEKT:NRlhhMmh33NnaE6O0vF6wBYqW2popg4
                                                                                                                                                            MD5:FC41CABDD3C18079985AC5F648F58A90
                                                                                                                                                            SHA1:51A619DDCB3661AA8675C2D7483840AC4F991746
                                                                                                                                                            SHA-256:FA159F50E67FB5829F0F2511E25111C719411E6B6152FEA97F3A296264C7D7A4
                                                                                                                                                            SHA-512:691090B54CE52D7E8BCFFF2711ADE7A6A8BB21B409358D7BFFC2053A53C116C7C22896F21BA36945A54F094D963CD9361A132D2E165365FE287C02F3C60356ED
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                            • Filename: , Detection: malicious, Browse
                                                                                                                                                            • Filename: 9c23f857-b0b9-47d6-b664-47a3132066f4.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: 9c23f857-b0b9-47d6-b664-47a3132066f4.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: Setup (1).exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: Setup (1).exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: Setup (1).exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: SetupFA.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: Setup 2.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: SetupFA.exe, Detection: malicious, Browse
                                                                                                                                                            • Filename: SetupFA.exe, Detection: malicious, Browse
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...s..s..s.....z.....f.....{.....x..s........x......r......r..Richs..........PE..L...O.*W..........................................@..........................`............@...... ...........................!..x....0.. ............&..0....@..........8...............................@............ ...............................text...8........................... ..`.data...h...........................@....idata..j.... ......................@..@.rsrc... ....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):104857600
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3::
                                                                                                                                                            MD5:2F282B84E7E608D5852449ED940BFC51
                                                                                                                                                            SHA1:2C2CECCB5EC5574F791D45B63C940CFF20550F9A
                                                                                                                                                            SHA-256:20492A4D0D84F8BEB1767F6616229F85D44C2827B64BDBFB260EE12FA1109E0E
                                                                                                                                                            SHA-512:2798503C2C7B718799324122137BF30A562AAD1BC04BBF343DAAD225A5FD0D1FD5D269843A01AB00D4F8D8C5AB34F8956065F9831EF7459E9C487E895099E956
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:modified
                                                                                                                                                            Size (bytes):22904
                                                                                                                                                            Entropy (8bit):5.617614419519358
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:9068219D5734BAF73AF1204FFA228258
                                                                                                                                                            SHA1:91837D3AD91C22AF8502960995670093E56A4A4B
                                                                                                                                                            SHA-256:AB5AD46E2AD9C43958D0645EBDF621540C6F3CA1A3E824F84F26C849848E5A42
                                                                                                                                                            SHA-512:E43E101D1B73EFF5ABB4B59F776B0AAE6B6472D9981AC01862F24BB293C5DF1DBC26EF6AAE4F37E692F29BF785CA62C02AE940FDC6114924CDC7D57DB5583C6E
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:@...e.....................I.p.d.,.../................@..........H...............o..b~.D.poM...O..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....#.......System.Management.Automation4...............<."..Ke@...j..........System.Core.0.................Vn.F..kLsw..........System..4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.m.....#.Microsoft.Management.Infrastructure.<...............i..VdqF...|...........System.Configuration8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4..................~..2K..}...0".......System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a50qqja2.q1h.ps1

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):60
                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1ccyuww.0pr.psm1

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):60
                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtewjiso.2u0.psm1

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):60
                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xd4aeweq.nxe.ps1

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):60
                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\GraphicalInstaller.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):107520
                                                                                                                                                            Entropy (8bit):6.21400379458023
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:6FF9AA6C53A5035789F57FA3339267A0
                                                                                                                                                            SHA1:DC7603910C8FF0FFB9364CB5E5E2B6AFE6F6E72B
                                                                                                                                                            SHA-256:B3F434CFFAEC74B744EDFEB916CD54B2FD0404319178C674E46F6BC65C6E56CD
                                                                                                                                                            SHA-512:981064B4BF3D2CAE0AFB1BAEBCE2C0F7379EACEC8D64C85293754A4C43F74A33FD07A2A6CB949504B9D8662600F3AC24512EAE7E3143C1242F679C7473074D02
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A...A...A...Z.'._...Z...Q......C...Z.&.....H...L...A......Z.".D...Z...@...Z...@...Z...@...RichA...................PE..L....,#c...........!................(........0......................................................................`y......|j..........@.......................H....................................................0...............................text...T........................... ..`.rdata..'K...0...L..................@..@.data....,...........f..............@....rsrc...@............z..............@..@.reloc...!......."..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\Math.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):69120
                                                                                                                                                            Entropy (8bit):6.024967061017882
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:85428CF1F140E5023F4C9D179B704702
                                                                                                                                                            SHA1:1B51213DDBAEDFFFB7E7F098F172F1D4E5C9EFBA
                                                                                                                                                            SHA-256:8D9A23DD2004B68C0D2E64E6C6AD330D0C648BFFE2B9F619A1E9760EF978207A
                                                                                                                                                            SHA-512:DFE7F9F3030485CAF30EC631424120030C3985DF778993342A371BF1724FA84AA885B4E466C6F6B356D99CC24E564B9C702C7BCDD33052172E0794C2FDECCE59
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w.................F.........................5.....5....:6....Rich...........PE..L.....Oa...........!................KG....................................................@.............................B.......(....................................................................................................................text...b........................... ..`.rdata..R...........................@..@.data............2..................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\System.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):12288
                                                                                                                                                            Entropy (8bit):5.814115788739565
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                            SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                            SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                            SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\background.ole

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 780x470, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):21426
                                                                                                                                                            Entropy (8bit):7.414051323260024
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:641995DCA6E3100E845E78E5474A66B9
                                                                                                                                                            SHA1:721729D82041E064E8FF305CCCF5B2564CD3BD30
                                                                                                                                                            SHA-256:3BA4ECC6A8013CBEBECA713E2B9354E00C1C746E16E32238C3A275647796C3D2
                                                                                                                                                            SHA-512:33959F4AAFB494BBC12919C581B6D10064B4EBAD752BC81D6CACA3E5633D5D7DEFF2FFC78AF4D0C97AE16F1CF944D1BC2177BC59BE9B196DA35B3C947D48DA5F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....`.`....."Exif..MM.*.........................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....l|!...zm.........K.V....*....~.+m^.s8.+H..QT.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.W.m...5z..+.......QZ..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\background_small.ole

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 93x93, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2, software=paint.net 5.0.7], baseline, precision 8, 256x250, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1768
                                                                                                                                                            Entropy (8bit):4.628745287685124
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:E750A9502809C0B97224053EA8A2FB50
                                                                                                                                                            SHA1:970580150F8CF3427E6A8E7B0F2594131025C778
                                                                                                                                                            SHA-256:6B6725F2D798AF2665949F4DC798C2FD1A0F8532B8F476C585AC24B64BAF6969
                                                                                                                                                            SHA-512:6A24630FE45ACB513B489182C2BB8335DF11C264A7B1D233B736E4E2D83DB9ADFC7AA912FEC36CE688817B3A8436C71EC472196D17AB4606564DA46C44B7CF73
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....].].....rExif..MM.*.............................J...........R.(...........1.........Z......o.......o.....paint.net 5.0.7....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\button.bmp

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:PC bitmap, Windows 3.x format, 83 x 104 x 8, image size 8736, resolution 3778 x 3778 px/m, cbSize 9814, bits offset 1078
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):9814
                                                                                                                                                            Entropy (8bit):2.2213559532597427
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:BFCF1F0F62115A68FB836BF28AA9C183
                                                                                                                                                            SHA1:9E30C7F08CFEBD79D8637EEA8C2675F06885A75F
                                                                                                                                                            SHA-256:CC5EC3BA7F3BCDCDFFD8154E62F8A52A1C9E98306EDBF1453D2F515A8A438797
                                                                                                                                                            SHA-512:9891EBB390EF38E116DA4C50C8AB23A56D7261305FCD0CB2AB00C294DD5B7C9B5B317C34FDE38FA9E85E9BD382B3CC62CC9A99D92BAC04AB41C01F27F87AAA6F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:BMV&......6...(...S...h........... ".......................................................... @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`....................... ...@...`....................... ...@...`................@...@. .@.@.@.`.@...@...@...@...@ ..@ .@ @.@ `.@ ..@ ..@ ..@ ..@@..@@ .@@@.@@`.@@..@@..@@..@@..@`..@` .@`@.@``.@`..@`..@`..@`..@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@..@...@......... ...@...`.................. ... .. @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`....................... ...@...`....................... ...@...`...................... ...@...`.................. ... .. @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`...

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\fast_background2-inner.jpg

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 93x93, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2, software=paint.net 5.0.7], baseline, precision 8, 256x250, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1768
                                                                                                                                                            Entropy (8bit):4.628745287685124
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:E750A9502809C0B97224053EA8A2FB50
                                                                                                                                                            SHA1:970580150F8CF3427E6A8E7B0F2594131025C778
                                                                                                                                                            SHA-256:6B6725F2D798AF2665949F4DC798C2FD1A0F8532B8F476C585AC24B64BAF6969
                                                                                                                                                            SHA-512:6A24630FE45ACB513B489182C2BB8335DF11C264A7B1D233B736E4E2D83DB9ADFC7AA912FEC36CE688817B3A8436C71EC472196D17AB4606564DA46C44B7CF73
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....].].....rExif..MM.*.............................J...........R.(...........1.........Z......o.......o.....paint.net 5.0.7....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\fast_background2.jpg

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 780x470, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):7066
                                                                                                                                                            Entropy (8bit):4.240740520431343
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:6760E84E617164F959E76298BE77701B
                                                                                                                                                            SHA1:558896858DE762C3C731572117F0209C021A8311
                                                                                                                                                            SHA-256:A6DFCFFA07DF1AC46881E977801CE6C465AC7E9427BEC164208F34446F098A3A
                                                                                                                                                            SHA-512:5C8CB1D3FE9F84DEE4958837E3B42B3734A2AE86E32DBB67BAFF6602C85FA6DDFDD39345AD24E2D90B38C693F024B6F2709E82135B90F42CF2FCD1F59DC49480
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....`.`....."Exif..MM.*.........................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\inetc.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):39424
                                                                                                                                                            Entropy (8bit):4.684597989866362
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:A35CDC9CF1D17216C0AB8C5282488EAD
                                                                                                                                                            SHA1:ED8E8091A924343AD8791D85E2733C14839F0D36
                                                                                                                                                            SHA-256:A793929232AFB78B1C5B2F45D82094098BCF01523159FAD1032147D8D5F9C4DF
                                                                                                                                                            SHA-512:0F15B00D0BF2AABD194302E599D69962147B4B3EF99E5A5F8D5797A7A56FD75DD9DB0A667CFBA9C758E6F0DAB9CED126A9B43948935FE37FC31D96278A842BDF
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.[.H.[.H.[.H.O.I.R.H.[.I...H...M.Y.H...L.Z.H...H.Z.H.....Z.H...J.Z.H.Rich[.H.................PE..L...n..c...........!.....T.........._........p............................... ............@..........................x......D...d...............................t....w..8...............................................D............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data....i...........d..............@....idata..A............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsw9C2B.tmp\nsExec.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:modified
                                                                                                                                                            Size (bytes):7168
                                                                                                                                                            Entropy (8bit):5.298362543684714
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                            SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                            SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                            SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\Banner.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):4096
                                                                                                                                                            Entropy (8bit):3.679447058913102
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:A1B9BDEE9FC87D11676605BD79037646
                                                                                                                                                            SHA1:8D6879F63048EB93B9657D0B78F534869D1FFF64
                                                                                                                                                            SHA-256:39E3108E0A4CCFB9FE4D8CAF4FB40BAA39BDD797F3A4C1FA886086226E00F465
                                                                                                                                                            SHA-512:CD65D18ECA885807C7C810286CEBEF75555D13889A4847BB30DC1A08D8948893899CC411728097641A8C07A8DCC59E1C1EFA0E860E93DADA871D5B7ACC61B1E5
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.............................. ......0#......Rich............................PE..L....Oa...........!......................... ...............................P............@.........................."..h...l ..<............................@....................................................... ..l............................text...j........................... ..`.rdata..(.... ......................@..@.data...<....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\GraphicalInstaller.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):107520
                                                                                                                                                            Entropy (8bit):6.21400379458023
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:6FF9AA6C53A5035789F57FA3339267A0
                                                                                                                                                            SHA1:DC7603910C8FF0FFB9364CB5E5E2B6AFE6F6E72B
                                                                                                                                                            SHA-256:B3F434CFFAEC74B744EDFEB916CD54B2FD0404319178C674E46F6BC65C6E56CD
                                                                                                                                                            SHA-512:981064B4BF3D2CAE0AFB1BAEBCE2C0F7379EACEC8D64C85293754A4C43F74A33FD07A2A6CB949504B9D8662600F3AC24512EAE7E3143C1242F679C7473074D02
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A...A...A...Z.'._...Z...Q......C...Z.&.....H...L...A......Z.".D...Z...@...Z...@...Z...@...RichA...................PE..L....,#c...........!................(........0......................................................................`y......|j..........@.......................H....................................................0...............................text...T........................... ..`.rdata..'K...0...L..................@..@.data....,...........f..............@....rsrc...@............z..............@..@.reloc...!......."..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\Math.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):69120
                                                                                                                                                            Entropy (8bit):6.024967061017882
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:85428CF1F140E5023F4C9D179B704702
                                                                                                                                                            SHA1:1B51213DDBAEDFFFB7E7F098F172F1D4E5C9EFBA
                                                                                                                                                            SHA-256:8D9A23DD2004B68C0D2E64E6C6AD330D0C648BFFE2B9F619A1E9760EF978207A
                                                                                                                                                            SHA-512:DFE7F9F3030485CAF30EC631424120030C3985DF778993342A371BF1724FA84AA885B4E466C6F6B356D99CC24E564B9C702C7BCDD33052172E0794C2FDECCE59
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w.................F.........................5.....5....:6....Rich...........PE..L.....Oa...........!................KG....................................................@.............................B.......(....................................................................................................................text...b........................... ..`.rdata..R...........................@..@.data............2..................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\System.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):12288
                                                                                                                                                            Entropy (8bit):5.814115788739565
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                            SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                            SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                            SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\background.ole

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 780x470, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):21426
                                                                                                                                                            Entropy (8bit):7.414051323260024
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:641995DCA6E3100E845E78E5474A66B9
                                                                                                                                                            SHA1:721729D82041E064E8FF305CCCF5B2564CD3BD30
                                                                                                                                                            SHA-256:3BA4ECC6A8013CBEBECA713E2B9354E00C1C746E16E32238C3A275647796C3D2
                                                                                                                                                            SHA-512:33959F4AAFB494BBC12919C581B6D10064B4EBAD752BC81D6CACA3E5633D5D7DEFF2FFC78AF4D0C97AE16F1CF944D1BC2177BC59BE9B196DA35B3C947D48DA5F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....`.`....."Exif..MM.*.........................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....l|!...zm.........K.V....*....~.+m^.s8.+H..QT.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.W.m...5z..+.......QZ..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\background_small.ole

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 93x93, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2, software=paint.net 5.0.7], baseline, precision 8, 256x250, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1768
                                                                                                                                                            Entropy (8bit):4.628745287685124
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:E750A9502809C0B97224053EA8A2FB50
                                                                                                                                                            SHA1:970580150F8CF3427E6A8E7B0F2594131025C778
                                                                                                                                                            SHA-256:6B6725F2D798AF2665949F4DC798C2FD1A0F8532B8F476C585AC24B64BAF6969
                                                                                                                                                            SHA-512:6A24630FE45ACB513B489182C2BB8335DF11C264A7B1D233B736E4E2D83DB9ADFC7AA912FEC36CE688817B3A8436C71EC472196D17AB4606564DA46C44B7CF73
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....].].....rExif..MM.*.............................J...........R.(...........1.........Z......o.......o.....paint.net 5.0.7....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\button.bmp

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:PC bitmap, Windows 3.x format, 83 x 104 x 8, image size 8736, resolution 3778 x 3778 px/m, cbSize 9814, bits offset 1078
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):9814
                                                                                                                                                            Entropy (8bit):2.2213559532597427
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:BFCF1F0F62115A68FB836BF28AA9C183
                                                                                                                                                            SHA1:9E30C7F08CFEBD79D8637EEA8C2675F06885A75F
                                                                                                                                                            SHA-256:CC5EC3BA7F3BCDCDFFD8154E62F8A52A1C9E98306EDBF1453D2F515A8A438797
                                                                                                                                                            SHA-512:9891EBB390EF38E116DA4C50C8AB23A56D7261305FCD0CB2AB00C294DD5B7C9B5B317C34FDE38FA9E85E9BD382B3CC62CC9A99D92BAC04AB41C01F27F87AAA6F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:BMV&......6...(...S...h........... ".......................................................... @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`....................... ...@...`....................... ...@...`................@...@. .@.@.@.`.@...@...@...@...@ ..@ .@ @.@ `.@ ..@ ..@ ..@ ..@@..@@ .@@@.@@`.@@..@@..@@..@@..@`..@` .@`@.@``.@`..@`..@`..@`..@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@..@...@......... ...@...`.................. ... .. @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`....................... ...@...`....................... ...@...`...................... ...@...`.................. ... .. @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`...

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\fast_background1-inner.jpg

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 93x93, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2, software=paint.net 5.0.7], baseline, precision 8, 256x250, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1768
                                                                                                                                                            Entropy (8bit):4.628745287685124
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:E750A9502809C0B97224053EA8A2FB50
                                                                                                                                                            SHA1:970580150F8CF3427E6A8E7B0F2594131025C778
                                                                                                                                                            SHA-256:6B6725F2D798AF2665949F4DC798C2FD1A0F8532B8F476C585AC24B64BAF6969
                                                                                                                                                            SHA-512:6A24630FE45ACB513B489182C2BB8335DF11C264A7B1D233B736E4E2D83DB9ADFC7AA912FEC36CE688817B3A8436C71EC472196D17AB4606564DA46C44B7CF73
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....].].....rExif..MM.*.............................J...........R.(...........1.........Z......o.......o.....paint.net 5.0.7....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\fast_background1.jpg

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 780x470, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):21426
                                                                                                                                                            Entropy (8bit):7.414051323260024
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:641995DCA6E3100E845E78E5474A66B9
                                                                                                                                                            SHA1:721729D82041E064E8FF305CCCF5B2564CD3BD30
                                                                                                                                                            SHA-256:3BA4ECC6A8013CBEBECA713E2B9354E00C1C746E16E32238C3A275647796C3D2
                                                                                                                                                            SHA-512:33959F4AAFB494BBC12919C581B6D10064B4EBAD752BC81D6CACA3E5633D5D7DEFF2FFC78AF4D0C97AE16F1CF944D1BC2177BC59BE9B196DA35B3C947D48DA5F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....`.`....."Exif..MM.*.........................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....l|!...zm.........K.V....*....~.+m^.s8.+H..QT.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.W.m...5z..+.......QZ..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\fast_background2-inner.jpg

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 93x93, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2, software=paint.net 5.0.7], baseline, precision 8, 256x250, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1768
                                                                                                                                                            Entropy (8bit):4.628745287685124
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:E750A9502809C0B97224053EA8A2FB50
                                                                                                                                                            SHA1:970580150F8CF3427E6A8E7B0F2594131025C778
                                                                                                                                                            SHA-256:6B6725F2D798AF2665949F4DC798C2FD1A0F8532B8F476C585AC24B64BAF6969
                                                                                                                                                            SHA-512:6A24630FE45ACB513B489182C2BB8335DF11C264A7B1D233B736E4E2D83DB9ADFC7AA912FEC36CE688817B3A8436C71EC472196D17AB4606564DA46C44B7CF73
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....].].....rExif..MM.*.............................J...........R.(...........1.........Z......o.......o.....paint.net 5.0.7....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\fast_background2.jpg

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 780x470, components 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):7066
                                                                                                                                                            Entropy (8bit):4.240740520431343
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:6760E84E617164F959E76298BE77701B
                                                                                                                                                            SHA1:558896858DE762C3C731572117F0209C021A8311
                                                                                                                                                            SHA-256:A6DFCFFA07DF1AC46881E977801CE6C465AC7E9427BEC164208F34446F098A3A
                                                                                                                                                            SHA-512:5C8CB1D3FE9F84DEE4958837E3B42B3734A2AE86E32DBB67BAFF6602C85FA6DDFDD39345AD24E2D90B38C693F024B6F2709E82135B90F42CF2FCD1F59DC49480
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......JFIF.....`.`....."Exif..MM.*.........................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\inetc.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):39424
                                                                                                                                                            Entropy (8bit):4.684597989866362
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:A35CDC9CF1D17216C0AB8C5282488EAD
                                                                                                                                                            SHA1:ED8E8091A924343AD8791D85E2733C14839F0D36
                                                                                                                                                            SHA-256:A793929232AFB78B1C5B2F45D82094098BCF01523159FAD1032147D8D5F9C4DF
                                                                                                                                                            SHA-512:0F15B00D0BF2AABD194302E599D69962147B4B3EF99E5A5F8D5797A7A56FD75DD9DB0A667CFBA9C758E6F0DAB9CED126A9B43948935FE37FC31D96278A842BDF
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.[.H.[.H.[.H.O.I.R.H.[.I...H...M.Y.H...L.Z.H...H.Z.H.....Z.H...J.Z.H.Rich[.H.................PE..L...n..c...........!.....T.........._........p............................... ............@..........................x......D...d...............................t....w..8...............................................D............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data....i...........d..............@....idata..A............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\nsDialogs.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):9728
                                                                                                                                                            Entropy (8bit):5.158136237602734
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:6C3F8C94D0727894D706940A8A980543
                                                                                                                                                            SHA1:0D1BCAD901BE377F38D579AAFC0C41C0EF8DCEFD
                                                                                                                                                            SHA-256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
                                                                                                                                                            SHA-512:2094F0E4BB7C806A5FF27F83A1D572A5512D979EEFDA3345BAFF27D2C89E828F68466D08C3CA250DA11B01FC0407A21743037C25E94FBE688566DD7DEAEBD355
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L.....Oa...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nswEB01.tmp\nsJSON.dll

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):24064
                                                                                                                                                            Entropy (8bit):5.819708895488079
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:F4D89D9A2A3E2F164AEA3E93864905C9
                                                                                                                                                            SHA1:4D4E05EE5E4E77A0631A3DD064C171BA2E227D4A
                                                                                                                                                            SHA-256:64B3EFDF3DE54E338D4DB96B549A7BDB7237BB88A82A0A63AEF570327A78A6FB
                                                                                                                                                            SHA-512:DBDA3FE7CA22C23D2D0F2A5D9D415A96112E2965081582C7A42C139A55C5D861A27F0BD919504DE4F82C59CF7D1B97F95ED5A55E87D574635AFDB7EB2D8CADF2
                                                                                                                                                            Malicious:false
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.'..fI_.fI_.fI_3.H^.fI_.fH_?fI_.8M^.fI_.8I^.fI_.8._.fI_.8K^.fI_Rich.fI_........PE..L...`..Z...........!.....>..........E........P............................................@..........................X......@Z..P....p..........................H....X...............................................P...............................text...W<.......>.................. ..`.rdata.......P.......B..............@..@.data...@....`.......R..............@....rsrc........p.......T..............@..@.reloc..H............X..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF2E39479A48BD9F21.TMP

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):32768
                                                                                                                                                            Entropy (8bit):3.202921489792736
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:F326853072FE3CC47E8674A0DA3948FD
                                                                                                                                                            SHA1:566059B5CA041E7791BA540E5363611E0DA24C7A
                                                                                                                                                            SHA-256:0EA5EB33337EFC41C676CAEEA5763E024BB68DC7CF4819A733998901987653DB
                                                                                                                                                            SHA-512:446EDE9BDEC70B0990BA48739D185AAA3D4C7AA34E8FD5D7B083CAFA928E9E435546EE91853F3D6D49CBBFF2D3BF9C38318850E0A92347FB9089340947732250
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF8DDAB6449FA3ACF6.TMP

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):22962
                                                                                                                                                            Entropy (8bit):7.232618156384083
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:D8EDB5C7C12EB2484A6531AC3E5678CD
                                                                                                                                                            SHA1:899B3546539042D8D0204CD47C299436BCFF2E2A
                                                                                                                                                            SHA-256:B93D8FA66CCE43D7D613239D60D505AE06B8BA8C7D1C489A065E0579CBB86DC6
                                                                                                                                                            SHA-512:5C9090C40ED35977FB92CD83242B5DF4153359A8E2CD3858E8322FD3A2CBBADA51CFBB2FB9485E24870F69832A97E3B4CE454516049476AE7ADCC10C92B824F2
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DFB0014EAC9506A24F.TMP

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):32768
                                                                                                                                                            Entropy (8bit):6.676308750125457
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:421D061C0800E80B023250D153E7FD85
                                                                                                                                                            SHA1:C9C99745C56D2469998CE82890E7F65FE51E619D
                                                                                                                                                            SHA-256:7AC23DFB9AB7EB1B3537BA840631ECA395F9221B0999E8EC42B4D90D8F1A8605
                                                                                                                                                            SHA-512:5D96E3FA54530E3B8C798C8D70FBB8B924FC594DEACCFA6038CAAEC56A63923EA7B1AD17E11C90FB9A21151326C2F6DDCA7A9FFAAC6D744C7DD9652B983335B6
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DFE6F2E36413145217.TMP

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):22962
                                                                                                                                                            Entropy (8bit):7.23254071200982
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:06D20CC58B9974F564EC764EF3CA05BE
                                                                                                                                                            SHA1:F8D4E9969100C54C597E0BD21380B8A4E5DA5EB7
                                                                                                                                                            SHA-256:A36A480EA208F75630544A5AE9FE62DC889F2AF036A6A9C07256E62658DAA929
                                                                                                                                                            SHA-512:2E58E96588CC6A30D881760C94B0E1F7085D92863DBC38614DCB5F1002FA4650A7DDDF6A26686612BB2C7A69D1F87D4D8CFE9389007D01BFB34D6889FDEF7E57
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 13:57:37 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2677
                                                                                                                                                            Entropy (8bit):3.991055570725238
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:B769FDDF598D11957679ADBA158C76B3
                                                                                                                                                            SHA1:18F4529C42A57312BE0752E3260EB9A973239DEC
                                                                                                                                                            SHA-256:22A37EE5BBC0FA747D6FDAB842F3359A109FDC818DEFE9B1BFABAA541D690FA2
                                                                                                                                                            SHA-512:F6353AC5A8B0075FFFE659BBADE71E102F68F4212BFB21E32B057E1E4E86635690F654052BC75B392015319634E0FECC12D07F7701F16E414A042D122C8D4EFA
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:L..................F.@.. ...$+.,........oc......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I*Z#w....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V*Z2w....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V*Z2w....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V*Z2w...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V*Z3w...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........X..k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 13:57:37 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2679
                                                                                                                                                            Entropy (8bit):4.003997673588643
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:55383E647F9E57446E125053627F6A76
                                                                                                                                                            SHA1:03EDD980F5303FAC4E09E871904CEE9DFA3658DC
                                                                                                                                                            SHA-256:55C47CB08B3DA9706D47AA121370D5108241756B0F9B18DC80C2C5276126B6DD
                                                                                                                                                            SHA-512:270D46430B9195F1DE6A53A487F1C50AAACB58F28E03B0C425B60A33DB27DA82A44B8D48F827EC2BC900B40BCB1640A0963D1505E30F0DE344CB397C9EA9AFA7
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:L..................F.@.. ...$+.,........oc......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I*Z#w....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V*Z2w....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V*Z2w....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V*Z2w...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V*Z3w...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........X..k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2693
                                                                                                                                                            Entropy (8bit):4.017534801335493
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:DFCAE57CF3C1928BF0333BE88B449C25
                                                                                                                                                            SHA1:E38C07D150F3E37D70B001668CAF4DE90721A8C5
                                                                                                                                                            SHA-256:7B9BD473B11898D45414BF35E8B1084B80E78D328C536E3FBF36A0080A3427ED
                                                                                                                                                            SHA-512:77F96C98C3DBE84509BB0D634CC7E3AC1390E774C5367569813642B83791CEFAC7A6819ED42AF4EAAB01DE1D145E084ECE2039A964A6552B5F14D6CBA3550030
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I*Z#w....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V*Z2w....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V*Z2w....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V*Z2w...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........X..k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 13:57:37 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2681
                                                                                                                                                            Entropy (8bit):4.001390082038041
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:BCEEE56B41FA7190C9AC6A4FB19C7C69
                                                                                                                                                            SHA1:CD29CE164E2AE2EBF9D428A1C3BFEDE60BFE3314
                                                                                                                                                            SHA-256:7579197F4EBF6B4C4A95C2E9749C7053C29596EA39BF6784FB4EAB65232F1793
                                                                                                                                                            SHA-512:2E569D9A06F0246266E1E169BEB6FA66B02A16E8423521E146C77019FE945FA0EC7891FA0E818E185A21EB996C6DF6FEC40F00DEED9DE9A82DB5BBDE8ECC0A07
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:L..................F.@.. ...$+.,....8...oc......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I*Z#w....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V*Z2w....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V*Z2w....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V*Z2w...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V*Z3w...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........X..k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 13:57:37 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2681
                                                                                                                                                            Entropy (8bit):3.992484423708197
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:0C180FD93EEC76A64F8EDC37CEE5088F
                                                                                                                                                            SHA1:923EEA0246D1F10F0B0BCA606837467032366877
                                                                                                                                                            SHA-256:8537CD199E3B9A4151269B2676328FF596658A0FB3A98FA86875C5B73D31BAB3
                                                                                                                                                            SHA-512:3354BAFD6BFC061EBB10034C8E6C4D8D4DD18A1C0CB6BBA697F73DF22A4DD33183125703B986B998ECF3CB733F9D28EC3372707773A2A58E04CFDEB2A43DB2DC
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:L..................F.@.. ...$+.,........oc......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I*Z#w....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V*Z2w....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V*Z2w....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V*Z2w...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V*Z3w...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........X..k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 13:57:37 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2683
                                                                                                                                                            Entropy (8bit):4.0018064359671035
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:0A6B8E0DAAE95FE713D8E57AEFD02069
                                                                                                                                                            SHA1:C9120DCB43C4E79185ABEBBACCC60F354E740B4D
                                                                                                                                                            SHA-256:967266F752CB42BA0E3B38C54EFB39F645B6AEEFAA78B5648F18BEF555881C50
                                                                                                                                                            SHA-512:1A0993559E31D24C4C79E6A3A022DD6C5602E840ECCD7CE8C9C90698689F01153394BF0B3B6451F3FDEF2FD9BDD6253D17174FBB3DEEAF639E431E4EE8B66E7E
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:L..................F.@.. ...$+.,.....6..oc......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I*Z#w....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V*Z2w....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V*Z2w....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V*Z2w...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V*Z3w...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........X..k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                            Chrome Cache Entry: 105

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:ASCII text, with very long lines (1572)
                                                                                                                                                            Category:downloaded
                                                                                                                                                            Size (bytes):5973
                                                                                                                                                            Entropy (8bit):5.385847419693263
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:207F621B4209616283D091A5A0F8CD49
                                                                                                                                                            SHA1:D34E96207B74C7446771ED458DDB74AE78121E93
                                                                                                                                                            SHA-256:5780DCB011235F74EBD060A2E1D7E214E3BD12E13982BF4BD7FBE052D3D55F63
                                                                                                                                                            SHA-512:91EA88B5F95863ABBB93E69AF3D7F68BD0D5C3716C5294869A64D5C08C573DA8FE1695279B397D7E7765431863013AC7AFB6DA00559C49AA49E6D4E87580C306
                                                                                                                                                            Malicious:false
                                                                                                                                                            URL:https://fonts.googleapis.com/css?family=Open%20Sans
                                                                                                                                                            Preview:/* cyrillic-ext */.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: 100%;. src: url(https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4taVIGxA.woff2) format('woff2');. unicode-range: U+0460-052F, U+1C80-1C8A, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;.}./* cyrillic */.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: 100%;. src: url(https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4kaVIGxA.woff2) format('woff2');. unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;.}./* greek-ext */.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: 100%;. src: url(https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4saVIGxA.woff2) format('woff2');. unicode-range: U+1F00-1FFF;.}./* greek */.@font-fa

                                                                                                                                                            Chrome Cache Entry: 106

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):675
                                                                                                                                                            Entropy (8bit):7.606800268124855
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:8D1ED092B3BE364DC47574F1310D2C87
                                                                                                                                                            SHA1:D5BBA623B5AFB4C5B6C0AD5ED04A10F1881DA595
                                                                                                                                                            SHA-256:07B61E98466A1F851D5DCF555AD9B901684EE622275129B98C38DA3785506FF2
                                                                                                                                                            SHA-512:70134A9B5B786473A56F11BA7098CA6AF568EEF97AA8704A9748A5EFDFC4F16CEE1F9C22CEA9F55660BE4FEB14D6C1B5B09A7C76076D4F813A58FECF27BB8828
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:.PNG........IHDR... ... .....szz....jIDATx..VKK.Q....R."..q.....Z.|.P....."b..'.......XiE..B6.6Z.c4.8....nf.$Nf&^. d1.w..9'.*..$.(.2N.V.|.&....g...8.E.%].y.G_$8...O.H..4....%..>.N...P.....K..V9Z..4f..Y.,..T.pGi.%.?8.,@..W.'q...g...}p8....y.5r.......)......&....(.WrD_V.er.).h.....t....c~sN..u&S....Z.m|.n..c.-_.A....(...._....X....,.hBD..<Z..Yk.V..._7V...U.........;....'....F..>;B..8.^.f../.:.. a?]..\.l......&@dD.g..y.r.p.g....fG<......M...r.....c..,...FJ,W...2G...d.9Q.4..5{4D...,._Oe.......Csbw.M~......dU.........j.0W.....r...'.s6..S......n...E...V@..e.$V....rfeN7.I...z+..`..R.,.N.]...>z..i#.*.~b.....N'..~0go.].*....I.e.x........[.S......IEND.B`.

                                                                                                                                                            Chrome Cache Entry: 107

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                                                                            Category:downloaded
                                                                                                                                                            Size (bytes):675
                                                                                                                                                            Entropy (8bit):7.606800268124855
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:8D1ED092B3BE364DC47574F1310D2C87
                                                                                                                                                            SHA1:D5BBA623B5AFB4C5B6C0AD5ED04A10F1881DA595
                                                                                                                                                            SHA-256:07B61E98466A1F851D5DCF555AD9B901684EE622275129B98C38DA3785506FF2
                                                                                                                                                            SHA-512:70134A9B5B786473A56F11BA7098CA6AF568EEF97AA8704A9748A5EFDFC4F16CEE1F9C22CEA9F55660BE4FEB14D6C1B5B09A7C76076D4F813A58FECF27BB8828
                                                                                                                                                            Malicious:false
                                                                                                                                                            URL:https://repository.pcapp.store/pcapp/images/fast.png
                                                                                                                                                            Preview:.PNG........IHDR... ... .....szz....jIDATx..VKK.Q....R."..q.....Z.|.P....."b..'.......XiE..B6.6Z.c4.8....nf.$Nf&^. d1.w..9'.*..$.(.2N.V.|.&....g...8.E.%].y.G_$8...O.H..4....%..>.N...P.....K..V9Z..4f..Y.,..T.pGi.%.?8.,@..W.'q...g...}p8....y.5r.......)......&....(.WrD_V.er.).h.....t....c~sN..u&S....Z.m|.n..c.-_.A....(...._....X....,.hBD..<Z..Yk.V..._7V...U.........;....'....F..>;B..8.^.f../.:.. a?]..\.l......&@dD.g..y.r.p.g....fG<......M...r.....c..,...FJ,W...2G...d.9Q.4..5{4D...,._Oe.......Csbw.M~......dU.........j.0W.....r...'.s6..S......n...E...V@..e.$V....rfeN7.I...z+..`..R.,.N.]...>z..i#.*.~b.....N'..~0go.].*....I.e.x........[.S......IEND.B`.

                                                                                                                                                            Chrome Cache Entry: 108

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            File Type:Web Open Font Format (Version 2), TrueType, length 18668, version 1.0
                                                                                                                                                            Category:downloaded
                                                                                                                                                            Size (bytes):18668
                                                                                                                                                            Entropy (8bit):7.988119248989337
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:
                                                                                                                                                            MD5:8655D20BBCC8CDBFAB17B6BE6CF55DF3
                                                                                                                                                            SHA1:90EDBFA9A7DABB185487B4774076F82EB6412270
                                                                                                                                                            SHA-256:E7AF9D60D875EB1C1B1037BBBFDEC41FCB096D0EBCF98A48717AD8B07906CED6
                                                                                                                                                            SHA-512:47308DE25BD7E4CA27F59A2AE681BA64393FE4070E730C1F00C4053BAC956A9B4F7C0763C04145BC50A5F91C12A0BF80BDD4B03EECC2036CD56B2DB31494CBAF
                                                                                                                                                            Malicious:false
                                                                                                                                                            URL:https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVI.woff2
                                                                                                                                                            Preview:wOF2......H...........H..........................|.....h.`?STAT^..0..|...........+..2..6.$..`. ..x........z'o..w;....6.E....6....E...'$H.#.....n1X..JU/.d.O..JC.'J".v.v.l.h.....u.S...SY.....B.hz.o.}......W......%m6...A..=....\..m. .]..~.[..........]...I.*.h.=.....6.xt..F....Lt...Qs-.7..{...~BI.".F.Q......F...P..dMw..#I2........Rq.Q&.0@.;..;...3VG..:c.nki..-Q..2##e.u...8n....\?....T..b....^..#...../.J|OM..St....e.S.}!.....>..i.T/a.ES%.W.P3..`..a.R.A.....!~g..74.np8o.....d[6?.P.4)P.....AG.3.......;#0.y....M..O/2.@.4..N.vA$.:M&H,.AT".........@..a.~..L->...0@h...~.._..N"......t......C./g7..............2E.N.J...TW.F..."A.B...n.......i.?.{\.L.!*.B..x...S..!........?.\,... .@.....y"xw.A8.w..!E..-^P O..+.T.r.R.zz..K..].E.....Ri.)g.P...j..w..c.M.F.v../........Q....'...(....X..;.K.!BZ3.........f.....N.A(....cA`.b'...`.~sa*^.....?..../.L.S......t..`@h..C.....>N.W...;>..._h.+~=|......uOGA{.7.....h....q.d.4$.x<.....^0|...@....@Q[RC.0....b....'...*RID

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                            Entropy (8bit):7.718956558480856
                                                                                                                                                            TrID:
                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                            File name:Setup.exe
                                                                                                                                                            File size:225'616 bytes
                                                                                                                                                            MD5:8f195e5120614a9e3a734e496e1cc08f
                                                                                                                                                            SHA1:e9cf4b56a535222a7e3755d4bcc1705aca7c15de
                                                                                                                                                            SHA256:319a04d9599da49736e379f99d5dbabfc42f037b6e9b75db328bf05f37db7ae1
                                                                                                                                                            SHA512:8412332a2dbf8643ee69264e1470379f512168785596bc7d29d75247c8866d893f01e9f7c03faca5588c3e7094cdc298b48157c4d112471e2e94be40cf40d224
                                                                                                                                                            SSDEEP:6144:CbE/HU22prZK7ovHY6av4TVeO7+FU1FKLJBOFg45n73s:Cb1NZK4YxgTVeO7+F+KnIg4bs
                                                                                                                                                            TLSH:712412507660D8C3C8E38773BE3A533A99BD837B66746E8303046A5C2E52351676F749
                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:f9d49b792593090d

                                                                                                                                                            Static PE Info

                                                                                                                                                            General

                                                                                                                                                            Entrypoint:0x40352d
                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                            Digitally signed:true
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                            Time Stamp:0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
                                                                                                                                                            TLS Callbacks:
                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                            OS Version Major:4
                                                                                                                                                            OS Version Minor:0
                                                                                                                                                            File Version Major:4
                                                                                                                                                            File Version Minor:0
                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                            Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                                                                                                                                                            Authenticode Signature

                                                                                                                                                            Signature Valid:true
                                                                                                                                                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                            Signature Validation Error:The operation completed successfully
                                                                                                                                                            Error Number:0
                                                                                                                                                            Not Before, Not After
                                                                                                                                                            • 08/05/2024 02:00:00 14/02/2025 00:59:59
                                                                                                                                                            Subject Chain
                                                                                                                                                            • CN=FAST CORPORATION LTD, O=FAST CORPORATION LTD, L=Ra'anana, C=IL, SERIALNUMBER=515636181, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL
                                                                                                                                                            Version:3
                                                                                                                                                            Thumbprint MD5:04786BD703B906E22AECB2AD38CE4D94
                                                                                                                                                            Thumbprint SHA-1:07BE42727905BE32C822A638502C1B8FAAE6540A
                                                                                                                                                            Thumbprint SHA-256:FDB017BB88E5D453E22A73810690C72534F58EFB109EA0D4494EC393F2307DBC
                                                                                                                                                            Serial:0E5C655E1CBE9A8879372F58A5BC0302

                                                                                                                                                            Entrypoint Preview

                                                                                                                                                            Instruction
                                                                                                                                                            push ebp
                                                                                                                                                            mov ebp, esp
                                                                                                                                                            sub esp, 000003F4h
                                                                                                                                                            push ebx
                                                                                                                                                            push esi
                                                                                                                                                            push edi
                                                                                                                                                            push 00000020h
                                                                                                                                                            pop edi
                                                                                                                                                            xor ebx, ebx
                                                                                                                                                            push 00008001h
                                                                                                                                                            mov dword ptr [ebp-14h], ebx
                                                                                                                                                            mov dword ptr [ebp-04h], 0040A2E0h
                                                                                                                                                            mov dword ptr [ebp-10h], ebx
                                                                                                                                                            call dword ptr [004080CCh]
                                                                                                                                                            mov esi, dword ptr [004080D0h]
                                                                                                                                                            lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                            push eax
                                                                                                                                                            mov dword ptr [ebp-0000012Ch], ebx
                                                                                                                                                            mov dword ptr [ebp-2Ch], ebx
                                                                                                                                                            mov dword ptr [ebp-28h], ebx
                                                                                                                                                            mov dword ptr [ebp-00000140h], 0000011Ch
                                                                                                                                                            call esi
                                                                                                                                                            test eax, eax
                                                                                                                                                            jne 00007FEEF8B7BDEAh
                                                                                                                                                            lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                            mov dword ptr [ebp-00000140h], 00000114h
                                                                                                                                                            push eax
                                                                                                                                                            call esi
                                                                                                                                                            mov ax, word ptr [ebp-0000012Ch]
                                                                                                                                                            mov ecx, dword ptr [ebp-00000112h]
                                                                                                                                                            sub ax, 00000053h
                                                                                                                                                            add ecx, FFFFFFD0h
                                                                                                                                                            neg ax
                                                                                                                                                            sbb eax, eax
                                                                                                                                                            mov byte ptr [ebp-26h], 00000004h
                                                                                                                                                            not eax
                                                                                                                                                            and eax, ecx
                                                                                                                                                            mov word ptr [ebp-2Ch], ax
                                                                                                                                                            cmp dword ptr [ebp-0000013Ch], 0Ah
                                                                                                                                                            jnc 00007FEEF8B7BDBAh
                                                                                                                                                            and word ptr [ebp-00000132h], 0000h
                                                                                                                                                            mov eax, dword ptr [ebp-00000134h]
                                                                                                                                                            movzx ecx, byte ptr [ebp-00000138h]
                                                                                                                                                            mov dword ptr [00434FB8h], eax
                                                                                                                                                            xor eax, eax
                                                                                                                                                            mov ah, byte ptr [ebp-0000013Ch]
                                                                                                                                                            movzx eax, ax
                                                                                                                                                            or eax, ecx
                                                                                                                                                            xor ecx, ecx
                                                                                                                                                            mov ch, byte ptr [ebp-2Ch]
                                                                                                                                                            movzx ecx, cx
                                                                                                                                                            shl eax, 10h
                                                                                                                                                            or eax, ecx

                                                                                                                                                            Rich Headers

                                                                                                                                                            Programming Language:
                                                                                                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                            Data Directories

                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x750000x4a80.rsrc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x347e80x2968
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                            Sections

                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                            .text0x10000x68970x6a00ce9df19df15aa7bfbc0a8d0af0b841d0False0.6661261792452831data6.458398214928006IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                            .rdata0x80000x14a60x1600a118375c929d970903c1204233b7583dFalse0.4392755681818182data5.024109281264143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                            .data0xa0000x2b0180x60082a10c59a8679bb952fc8316070b8a6cFalse0.521484375data4.15458210408643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                            .ndata0x360000x3f0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                            .rsrc0x750000x4a800x4c00e24c4c098791e3921d9b8e42da598750False0.23514597039473684data4.4140297012897936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                            Resources

                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                            RT_ICON0x751d80x3e28Device independent bitmap graphic, 60 x 128 x 32, image size 0EnglishUnited States0.19343891402714933
                                                                                                                                                            RT_DIALOG0x790000x1a0dataEnglishUnited States0.4110576923076923
                                                                                                                                                            RT_DIALOG0x791a00x118dataEnglishUnited States0.6035714285714285
                                                                                                                                                            RT_DIALOG0x792b80x12adataEnglishUnited States0.587248322147651
                                                                                                                                                            RT_GROUP_ICON0x793e80x14dataEnglishUnited States1.1
                                                                                                                                                            RT_VERSION0x794000x250dataEnglishUnited States0.47466216216216217
                                                                                                                                                            RT_MANIFEST0x796500x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

                                                                                                                                                            Imports

                                                                                                                                                            DLLImport
                                                                                                                                                            ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                                                                                                            SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                                                                                                            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                                                                                                            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                                                                            USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                                                                                                            GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                                                                            KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                                                                                                            Possible Origin

                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                            EnglishUnited States

                                                                                                                                                            Network Behavior

                                                                                                                                                            Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                            Statistics

                                                                                                                                                            CPU Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            Memory Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            General

                                                                                                                                                            Target ID:0
                                                                                                                                                            Start time:09:57:22
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Users\user\Desktop\Setup.exe"
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            File size:225'616 bytes
                                                                                                                                                            MD5 hash:8F195E5120614A9E3A734E496E1CC08F
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:low
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:3
                                                                                                                                                            Start time:09:57:34
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=C1B82742-2267-4E50-8B1E-525BB13B4A34&_fcid=
                                                                                                                                                            Imagebase:0x7ff7d6f10000
                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                            MD5 hash:83395EAB5B03DEA9720F8D7AC0D15CAA
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:false

                                                                                                                                                            General

                                                                                                                                                            Target ID:4
                                                                                                                                                            Start time:09:57:34
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1864,i,6811724821742435092,4060110425535167665,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                            Imagebase:0x7ff7d6f10000
                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                            MD5 hash:83395EAB5B03DEA9720F8D7AC0D15CAA
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:false

                                                                                                                                                            General

                                                                                                                                                            Target ID:20
                                                                                                                                                            Start time:09:58:54
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                            Imagebase:0x7ff633be0000
                                                                                                                                                            File size:71'680 bytes
                                                                                                                                                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:21
                                                                                                                                                            Start time:09:59:12
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\FAST!\Temp\SetupEngine.exe" /fcid /instdir C:\Program Files (x86)\Fast! /startup 1
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            File size:130'816'024 bytes
                                                                                                                                                            MD5 hash:AC411F56C2DD288E58B1D0F02FE441D6
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Antivirus matches:
                                                                                                                                                            • Detection: 8%, ReversingLabs
                                                                                                                                                            Reputation:low
                                                                                                                                                            Has exited:false

                                                                                                                                                            General

                                                                                                                                                            Target ID:22
                                                                                                                                                            Start time:09:59:15
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:powershell.exe -command "Register-ScheduledTask fast_task -InputObject (New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files (x86)\Fast!\fast!.exe') -Principal (New-ScheduledTaskPrincipal -UserId ($Env:UserDomain + '\' + $Env:UserName) -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -MultipleInstances Queue -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)) -Force"
                                                                                                                                                            Imagebase:0xbb0000
                                                                                                                                                            File size:433'152 bytes
                                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:23
                                                                                                                                                            Start time:09:59:15
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff772470000
                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:24
                                                                                                                                                            Start time:09:59:18
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                            Imagebase:0x520000
                                                                                                                                                            File size:418'304 bytes
                                                                                                                                                            MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:moderate
                                                                                                                                                            Has exited:false

                                                                                                                                                            General

                                                                                                                                                            Target ID:25
                                                                                                                                                            Start time:09:59:21
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xml
                                                                                                                                                            Imagebase:0x960000
                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:false

                                                                                                                                                            General

                                                                                                                                                            Target ID:26
                                                                                                                                                            Start time:09:59:21
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff772470000
                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:false

                                                                                                                                                            General

                                                                                                                                                            Target ID:27
                                                                                                                                                            Start time:09:59:21
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp
                                                                                                                                                            Imagebase:0x860000
                                                                                                                                                            File size:144'688 bytes
                                                                                                                                                            MD5 hash:FC41CABDD3C18079985AC5F648F58A90
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Antivirus matches:
                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                            Reputation:moderate
                                                                                                                                                            Has exited:false

                                                                                                                                                            Disassembly

                                                                                                                                                            No disassembly