Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1587694
MD5:	8f195e5120614a9e3a734e496e1cc08f
SHA1:	e9cf4b56a535222a7e3755d4bcc1705aca7c15de
SHA256:	319a04d9599da49736e379f99d5dbabfc42f037b6e9b75db328bf05f37db7ae1
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w11x64_office

Setup.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 8F195E5120614A9E3A734E496E1CC08F)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Setup.exe	Virustotal: Detection: 20%			Perma Link
Source: Setup.exe	ReversingLabs: Detection: 34%

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\zak\Downloads\Inetc\Unicode\Plugins\inetc.pdb source: inetc.dll.1.dr

Source: Joe Sandbox View

IP Address: 161.35.127.181 161.35.127.181

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /pixel.gif?guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&evt_src=installer&evt_action=show_page&version=2.353&page=wel HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: veryfast.ioConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: veryfast.io

Source: unknown

HTTP traffic detected: POST /inst_cpg.php?src=fast_mini&guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&version=2.353&uc=16le HTTP/1.1Content-Type: application/jsonUser-Agent: NSIS_wininetHost: veryfast.ioContent-Length: 3186Cache-Control: no-cache

Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe, 00000001.00000002.12154458930.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup.exe, 00000001.00000002.12154458930.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/
Source: Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/?p=lp_veryfast_privacy_r1&guid=0x408
Source: Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/?p=lp_veryfast_tos_r1&guid=
Source: Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/X
Source: Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/download.php?engine=1&guid=
Source: Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/inst_cpg.php?src=fast_mini&guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&vers
Source: Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/installing.html?guid=
Source: Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=
Source: Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=&version=&evt_src=installer&evt_action=cancel
Source: Setup.exe, 00000001.00000002.12153300391.0000000000816000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&evt_src=installer&evt

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: Setup.exe, 00000001.00000002.12155504514.000000006C207000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamensJSON.dllH vs Setup.exe
Source: Setup.exe, 00000001.00000002.12155184432.000000001001B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenameGraphicalInstaller.dllX vs Setup.exe
Source: Setup.exe, 00000001.00000002.12152933698.0000000000416000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGraphicalInstaller.dllX vs Setup.exe

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.evad.winEXE@1/14@1/1

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\FAST!

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsfF3F.tmp

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe	Virustotal: Detection: 20%
Source: Setup.exe	ReversingLabs: Detection: 34%

Source: Setup.exe

String found in binary or memory: www.graphical-installer.com

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: virtdisk.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\zak\Downloads\Inetc\Unicode\Plugins\inetc.pdb source: inetc.dll.1.dr

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsJSON.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Math.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Banner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\GraphicalInstaller.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive

Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsJSON.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Math.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Banner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\GraphicalInstaller.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvF50.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor

Source: Setup.exe, 00000001.00000003.11857955280.000000000081E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: Setup.exe, 00000001.00000002.12153300391.000000000084E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: Setup.exe, 00000001.00000003.11857430264.000000000081C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware%2C+Inc%2E

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	131 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	122 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	21%	Virustotal		Browse
Setup.exe	35%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Banner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Banner.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\GraphicalInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\GraphicalInstaller.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Math.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\inetc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsJSON.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
veryfast.io	161.35.127.181	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://veryfast.io/pixel.gif?guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&evt_src=installer&evt_action=show_page&version=2.353&page=wel	false		high
https://veryfast.io/inst_cpg.php?src=fast_mini&guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&version=2.353&uc=16le	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://veryfast.io/inst_cpg.php?src=fast_mini&guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&vers	Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/?p=lp_veryfast_tos_r1&guid=	Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/download.php?engine=1&guid=	Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/	Setup.exe, 00000001.00000002.12154458930.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/pixel.gif?guid=&version=&evt_src=installer&evt_action=cancel	Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/X	Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	Setup.exe	false	high
https://veryfast.io/pixel.gif?guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&evt_src=installer&evt	Setup.exe, 00000001.00000002.12153300391.0000000000816000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.12154458930.0000000003DA9000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/installing.html?guid=	Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/?p=lp_veryfast_privacy_r1&guid=0x408	Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/pixel.gif?guid=	Setup.exe, 00000001.00000002.12153300391.0000000000794000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
161.35.127.181	veryfast.io	United States		14061	DIGITALOCEAN-ASNUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587694
Start date and time:	2025-01-10 16:04:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@1/14@1/1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.64.149.23, 104.18.38.233, 4.245.163.56
Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, slscr.update.microsoft.com, crt.comodoca.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
161.35.127.181	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	SetupEngine.exe	Get hash	malicious	Unknown	Browse
	https://veryfast.io	Get hash	malicious	Unknown	Browse
	https://veryfast.io	Get hash	malicious	Unknown	Browse
	https://macdownload.informer.com/osx-fiery-master-installer/	Get hash	malicious	Unknown	Browse
	9c23f857-b0b9-47d6-b664-47a3132066f4.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
veryfast.io	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse	161.35.127.181
	https://www.fsist.com.br	Get hash	malicious	Unknown	Browse	64.227.17.224
	https://veryfast.io/downloading.html	Get hash	malicious	Unknown	Browse	161.35.127.181
	fa_rss.exe	Get hash	malicious	Unknown	Browse	3.233.131.217

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	https://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29t	Get hash	malicious	Unknown	Browse	165.22.210.101
	http://www.jmclmedia.ph	Get hash	malicious	Unknown	Browse	206.189.225.178
	5.elf	Get hash	malicious	Unknown	Browse	157.245.182.61
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2BpuOeo6wXhYyQnN5Dmhl9EwD4jJy2QucAxD5PJ8TFaAtq5-2Fa2JLywFyD22uAsFmhYjQLp65IuicFXReMolU22hvgQ-2B1S2bacC3gnzhuRxI8SAkOsPFFxOcYEiSSZTqVyp3m1OxPmLRrTi1o5-2FZom3YCyV1EUto77Rrvablg0dLCkGGW0ncnt-2B7IgK6LBBZRD7ITvGmpDjZtTYsz0I1qKiLzZdNfmubxarfJC5-2BcEqOw-2Ft-2FbdrugnVMUWHAHioUxjwvqr4QWKZSVt-2BeoNRvP2Adsk-2FRWXyTy-2FNsOG5tm8W5iiSHTNAe6b2ve-2F-2FMif4OPRLC2jk2zIHDBodMQqimJe7S-2B0c0a6VcurrTf-2BSSIJw1siTQylKaBjy96o6v7aWNACMPOJmDH5ybp8Hfg60OUEGx1ZLebRMpxX9k9AP7u40PlQ7YN0etELZUsiTbXY4PcX2P96RfnnTH8k4gdprbyM68BwIDNXqkSpWupXgXawXvLifC6eFYgMzHs5EFbgb5u6HEHo2__tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcL7zwYzcSR3guHWoKhXDu5EQ7SXJZpci4hCmpp1REa7W1YXEAS6JqnE9LrlFK998LZ271LMIRubQetxBOsHxh3FfsHQej0U45DqU0JnGYKUA9waD6Ny-2BL9vchurlVMDvBupSQHaqHAKs87lmzkMbvNLGI-2BMPx7o1UJrTBuhk-2BVx-2FdFVsZL4Uf2HUcBJTS73hyi	Get hash	malicious	Unknown	Browse	64.227.64.62
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DrgFz_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLui8UPBZcrEcBQ64UpH2s9-2FDpSu9qfcgYFRQKTYsD5OOP7p7kgdevUOf60UO0BtzRorOOVdIMlEbf0g38VGeCmtkP8At2J-2BxKEtoZ2O48KqLdUMGUmxH4Esb-2BPRc25uZJoq4Qo0YWw9j31285luIdhLwnz-2B9RfofSABy36tB5aPmDcVeLn5C5N5AJkqjfepa6	Get hash	malicious	Unknown	Browse	188.166.17.21
	armv7l.elf	Get hash	malicious	Unknown	Browse	178.62.201.116
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgBe3vvPhUi3NCctiT7ICCnQ-2FY8o5rhg4URlGJ-2FvsNaBLrMZH2YOUKWM-2BCE-2FXqUBn4SuSDNO43ZHONlcfV0u69WPaY48i3uh3m8lqIzkUcMcKGiml1g6PtP2N9Fq73ADmecSkBDQ1wDesGGu-2Bg3LC1PY31AnFBjTo5itfBoUzfV1y-2FNuV7ub4JBfgFfFwbfDCVw04z2QHPGmvaTuYBRiOw1Tpn5jhya1bpe-2FZKFIvw6DpoIa015fiQnAkr21qCIGDz3kcWaHiPPoAcEbgrIJQtXRwdHoKOAHjnLbHeTfYxioE2jQ-2BKzgO6L-2FLiLt79tmJXX2KYx8D6DTv7nI91sFKT8dXMJM0DazaslrneD4lIUneNyaGARqqUVvrSB7-2BzgxAL-2FuXFyd1qjf-2FnnaV5h661BgCBEWKyZBkPjSGhvc635VlrPtfR5g3T0pDVRqQ8o-2Fg4-3DfYwI_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419PER4av1iPHZIu7rMCH4g59O-2FpVm-2BPXLGfx0fQIDbM830SEyalx7CL7LS5G2wzbNPhsJ2FagkVeT-2FvL4PXhjlJE5YFKw59He2Ja9QVSEHwhUEJm-2BBDxFee6A4QFWAIxMlxI8kis-2B4bFFLDszJAKx313jD-2F4FRd82vUXuacU2lSKZ4Ah2gmv6sbaeoxYrNwq4bbw0e0DJ7EzH1nxfqSXJpTz	Get hash	malicious	Unknown	Browse	64.227.64.62
	3.elf	Get hash	malicious	Unknown	Browse	157.230.180.162
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse	162.243.189.2

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Banner.dll	SetupEngine.exe	Get hash	malicious	Unknown	Browse
	https://veryfast.io	Get hash	malicious	Unknown	Browse
	https://veryfast.io	Get hash	malicious	Unknown	Browse
	9c23f857-b0b9-47d6-b664-47a3132066f4.exe	Get hash	malicious	Unknown	Browse
	9c23f857-b0b9-47d6-b664-47a3132066f4.exe	Get hash	malicious	Unknown	Browse
	COTA#U00c7#U00c3O MAGNA LTDA MFOC231877756745758450045Hemihedrism.exe	Get hash	malicious	GuLoader, Remcos	Browse
	COTA#U00c7#U00c3O MAGNA LTDA MFOC231877756745758450045Hemihedrism.exe	Get hash	malicious	GuLoader	Browse
	rCOTA____OMAGNA.exe	Get hash	malicious	GuLoader, Remcos	Browse
	rCOTA____OMAGNA.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Banner.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.679447058913102
Encrypted:	false
SSDEEP:	48:qfvVqdq/6waPy6Qths/zvXg1ss0Ai+wGXwBxirvdcwr1B38:E8A6wwzvwV0TFGABxix/1C
MD5:	A1B9BDEE9FC87D11676605BD79037646
SHA1:	8D6879F63048EB93B9657D0B78F534869D1FFF64
SHA-256:	39E3108E0A4CCFB9FE4D8CAF4FB40BAA39BDD797F3A4C1FA886086226E00F465
SHA-512:	CD65D18ECA885807C7C810286CEBEF75555D13889A4847BB30DC1A08D8948893899CC411728097641A8C07A8DCC59E1C1EFA0E860E93DADA871D5B7ACC61B1E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SetupEngine.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 9c23f857-b0b9-47d6-b664-47a3132066f4.exe, Detection: malicious, Browse Filename: 9c23f857-b0b9-47d6-b664-47a3132066f4.exe, Detection: malicious, Browse Filename: COTA#U00c7#U00c3O MAGNA LTDA MFOC231877756745758450045Hemihedrism.exe, Detection: malicious, Browse Filename: COTA#U00c7#U00c3O MAGNA LTDA MFOC231877756745758450045Hemihedrism.exe, Detection: malicious, Browse Filename: rCOTA____OMAGNA.exe, Detection: malicious, Browse Filename: rCOTA____OMAGNA.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.............................. ......0#......Rich............................PE..L....Oa...........!......................... ...............................P............@.........................."..h...l ..<............................@....................................................... ..l............................text...j........................... ..`.rdata..(.... ......................@..@.data...<....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\GraphicalInstaller.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107520
Entropy (8bit):	6.21400379458023
Encrypted:	false
SSDEEP:	1536:v2JZgqik14o+q5qbCfKIJPcFytROki+GNjFcspf8U5JsIyjWpk6:+JiCjt5qbOjJUFytRr6jFR8U5JsFqpz
MD5:	6FF9AA6C53A5035789F57FA3339267A0
SHA1:	DC7603910C8FF0FFB9364CB5E5E2B6AFE6F6E72B
SHA-256:	B3F434CFFAEC74B744EDFEB916CD54B2FD0404319178C674E46F6BC65C6E56CD
SHA-512:	981064B4BF3D2CAE0AFB1BAEBCE2C0F7379EACEC8D64C85293754A4C43F74A33FD07A2A6CB949504B9D8662600F3AC24512EAE7E3143C1242F679C7473074D02
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A...A...A...Z.'._...Z...Q......C...Z.&.....H...L...A......Z.".D...Z...@...Z...@...Z...@...RichA...................PE..L....,#c...........!................(........0......................................................................`y......\|j..........@.......................H....................................................0...............................text...T........................... ..`.rdata..'K...0...L..................@..@.data....,...........f..............@....rsrc...@............z..............@..@.reloc...!......."..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Math.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69120
Entropy (8bit):	6.024967061017882
Encrypted:	false
SSDEEP:	1536:GUZ9QC7V7IGMp2ZmtSX5p9IeJXlSM2tS:T97WSth5lwt
MD5:	85428CF1F140E5023F4C9D179B704702
SHA1:	1B51213DDBAEDFFFB7E7F098F172F1D4E5C9EFBA
SHA-256:	8D9A23DD2004B68C0D2E64E6C6AD330D0C648BFFE2B9F619A1E9760EF978207A
SHA-512:	DFE7F9F3030485CAF30EC631424120030C3985DF778993342A371BF1724FA84AA885B4E466C6F6B356D99CC24E564B9C702C7BCDD33052172E0794C2FDECCE59
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w.................F.........................5.....5....:6....Rich...........PE..L.....Oa...........!................KG....................................................@.............................B.......(....................................................................................................................text...b........................... ..`.rdata..R...........................@..@.data............2..................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\background.ole

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 780x470, components 3
Category:	dropped
Size (bytes):	21426
Entropy (8bit):	7.414051323260024
Encrypted:	false
SSDEEP:	384:rL5rXzTlMoTfntrAmBTmAqPfIRB4JiSrWcbQ3aNrUn2Dk6:r48fOfIMJiCO3aNrl
MD5:	641995DCA6E3100E845E78E5474A66B9
SHA1:	721729D82041E064E8FF305CCCF5B2564CD3BD30
SHA-256:	3BA4ECC6A8013CBEBECA713E2B9354E00C1C746E16E32238C3A275647796C3D2
SHA-512:	33959F4AAFB494BBC12919C581B6D10064B4EBAD752BC81D6CACA3E5633D5D7DEFF2FFC78AF4D0C97AE16F1CF944D1BC2177BC59BE9B196DA35B3C947D48DA5F
Malicious:	false
Preview:	......JFIF.....`.`....."Exif..MM..........................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....l\|!...zm.........K.V........~.+m^.s8.+H..QT.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.W.m...5z..+.......QZ..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\background_small.ole

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 93x93, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2, software=paint.net 5.0.7], baseline, precision 8, 256x250, components 3
Category:	dropped
Size (bytes):	1768
Entropy (8bit):	4.628745287685124
Encrypted:	false
SSDEEP:	24:oM1AhXhpKro0XxDuLHeOWXG4OZ7DAJuLHenX32:ghTuERAs
MD5:	E750A9502809C0B97224053EA8A2FB50
SHA1:	970580150F8CF3427E6A8E7B0F2594131025C778
SHA-256:	6B6725F2D798AF2665949F4DC798C2FD1A0F8532B8F476C585AC24B64BAF6969
SHA-512:	6A24630FE45ACB513B489182C2BB8335DF11C264A7B1D233B736E4E2D83DB9ADFC7AA912FEC36CE688817B3A8436C71EC472196D17AB4606564DA46C44B7CF73
Malicious:	false
Preview:	......JFIF.....].].....rExif..MM..............................J...........R.(...........1.........Z......o.......o.....paint.net 5.0.7....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\button.bmp

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PC bitmap, Windows 3.x format, 83 x 104 x 8, image size 8736, resolution 3778 x 3778 px/m, cbSize 9814, bits offset 1078
Category:	dropped
Size (bytes):	9814
Entropy (8bit):	2.2213559532597427
Encrypted:	false
SSDEEP:	12:9tIfCi8VCCCCCCCCCCCCCCCCCCCCCGNKaUTkOUszTl:foCi8zAa7S
MD5:	BFCF1F0F62115A68FB836BF28AA9C183
SHA1:	9E30C7F08CFEBD79D8637EEA8C2675F06885A75F
SHA-256:	CC5EC3BA7F3BCDCDFFD8154E62F8A52A1C9E98306EDBF1453D2F515A8A438797
SHA-512:	9891EBB390EF38E116DA4C50C8AB23A56D7261305FCD0CB2AB00C294DD5B7C9B5B317C34FDE38FA9E85E9BD382B3CC62CC9A99D92BAC04AB41C01F27F87AAA6F
Malicious:	false
Preview:	BMV&......6...(...S...h........... ".......................................................... @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`....................... ...@...`....................... ...@...`................@...@. .@.@.@.`.@...@...@...@...@ ..@ .@ @.@ `.@ ..@ ..@ ..@ ..@@..@@ .@@@.@@`.@@..@@..@@..@@..@`..@` .@`@.@``.@`..@`..@`..@`..@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@..@...@......... ...@...`.................. ... .. @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`....................... ...@...`....................... ...@...`...................... ...@...`.................. ... .. @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`...

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\fast_background1-inner.jpg

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 93x93, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2, software=paint.net 5.0.7], baseline, precision 8, 256x250, components 3
Category:	dropped
Size (bytes):	1768
Entropy (8bit):	4.628745287685124
Encrypted:	false
SSDEEP:	24:oM1AhXhpKro0XxDuLHeOWXG4OZ7DAJuLHenX32:ghTuERAs
MD5:	E750A9502809C0B97224053EA8A2FB50
SHA1:	970580150F8CF3427E6A8E7B0F2594131025C778
SHA-256:	6B6725F2D798AF2665949F4DC798C2FD1A0F8532B8F476C585AC24B64BAF6969
SHA-512:	6A24630FE45ACB513B489182C2BB8335DF11C264A7B1D233B736E4E2D83DB9ADFC7AA912FEC36CE688817B3A8436C71EC472196D17AB4606564DA46C44B7CF73
Malicious:	false
Preview:	......JFIF.....].].....rExif..MM..............................J...........R.(...........1.........Z......o.......o.....paint.net 5.0.7....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\fast_background1.jpg

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 780x470, components 3
Category:	dropped
Size (bytes):	21426
Entropy (8bit):	7.414051323260024
Encrypted:	false
SSDEEP:	384:rL5rXzTlMoTfntrAmBTmAqPfIRB4JiSrWcbQ3aNrUn2Dk6:r48fOfIMJiCO3aNrl
MD5:	641995DCA6E3100E845E78E5474A66B9
SHA1:	721729D82041E064E8FF305CCCF5B2564CD3BD30
SHA-256:	3BA4ECC6A8013CBEBECA713E2B9354E00C1C746E16E32238C3A275647796C3D2
SHA-512:	33959F4AAFB494BBC12919C581B6D10064B4EBAD752BC81D6CACA3E5633D5D7DEFF2FFC78AF4D0C97AE16F1CF944D1BC2177BC59BE9B196DA35B3C947D48DA5F
Malicious:	false
Preview:	......JFIF.....`.`....."Exif..MM..........................C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....l\|!...zm.........K.V........~.+m^.s8.+H..QT.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.W.m...5z..+.......QZ..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\inetc.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39424
Entropy (8bit):	4.684597989866362
Encrypted:	false
SSDEEP:	384:njt65uI9oYzcCaHjl9Cb4I1f0AGhrHXoREnRxtIpH/u0abJ2v2DW9O9tk8ZwkpwD:noHtNQoRSIwTJB6Q/kPyBp6
MD5:	A35CDC9CF1D17216C0AB8C5282488EAD
SHA1:	ED8E8091A924343AD8791D85E2733C14839F0D36
SHA-256:	A793929232AFB78B1C5B2F45D82094098BCF01523159FAD1032147D8D5F9C4DF
SHA-512:	0F15B00D0BF2AABD194302E599D69962147B4B3EF99E5A5F8D5797A7A56FD75DD9DB0A667CFBA9C758E6F0DAB9CED126A9B43948935FE37FC31D96278A842BDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.[.H.[.H.[.H.O.I.R.H.[.I...H...M.Y.H...L.Z.H...H.Z.H.....Z.H...J.Z.H.Rich[.H.................PE..L...n..c...........!.....T.........._........p............................... ............@..........................x......D...d...............................t....w..8...............................................D............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data....i...........d..............@....idata..A............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	9728
Entropy (8bit):	5.158136237602734
Encrypted:	false
SSDEEP:	96:o0svUu3Uy+sytcS8176b+XR8pCHFcMcxSgB5PKtAtgt+Nt+rnt3DVEB3YcNqkzfS:o0svWyNO81b8pCHFcM0PuAgkOyuIFc
MD5:	6C3F8C94D0727894D706940A8A980543
SHA1:	0D1BCAD901BE377F38D579AAFC0C41C0EF8DCEFD
SHA-256:	56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
SHA-512:	2094F0E4BB7C806A5FF27F83A1D572A5512D979EEFDA3345BAFF27D2C89E828F68466D08C3CA250DA11B01FC0407A21743037C25E94FBE688566DD7DEAEBD355
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L.....Oa...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsJSON.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.819708895488079
Encrypted:	false
SSDEEP:	384:n7U5CiIZ1ZC2RvhrTfldNuwQ5pk+BISivMyyOgqCoRUj+OvHxOuofnykhVQJrTU:YoZ1ZnhrTfldqk7Yyy94RxOcVQJrT
MD5:	F4D89D9A2A3E2F164AEA3E93864905C9
SHA1:	4D4E05EE5E4E77A0631A3DD064C171BA2E227D4A
SHA-256:	64B3EFDF3DE54E338D4DB96B549A7BDB7237BB88A82A0A63AEF570327A78A6FB
SHA-512:	DBDA3FE7CA22C23D2D0F2A5D9D415A96112E2965081582C7A42C139A55C5D861A27F0BD919504DE4F82C59CF7D1B97F95ED5A55E87D574635AFDB7EB2D8CADF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.'..fI_.fI_.fI_3.H^.fI_.fH_?fI_.8M^.fI_.8I^.fI_.8._.fI_.8K^.fI_Rich.fI_........PE..L...`..Z...........!.....>..........E........P............................................@..........................X......@Z..P....p..........................H....X...............................................P...............................text...W<.......>.................. ..`.rdata.......P.......B..............@..@.data...@....`.......R..............@....rsrc........p.......T..............@..@.reloc..H............X..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF07896EEC56FC75D7.TMP

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.9707866603181605
Encrypted:	false
SSDEEP:	384:GL5rXzTlMoTfntrAmBTmAqPfIRB4JiSrWcbQ3aNrUn2Dk8:G48fOfIMJiCO3aNr1
MD5:	717EC277A3067A039CF95F2F059FF69B
SHA1:	8FC17A64851521B0F2C18127F93E46709211AD03
SHA-256:	0BAA796FF4E3776FFAB944B60842AEBFE8280E5339243A3A92909E3F59069A70
SHA-512:	7B639E58BFD38E53DE0D7CE472E7EA75F79DE4B3B803CBD6EB3384E62C24E01019996704B7ECCD7DA70B81AD6C12A4C91588FD2B8CB1B99C18813B757880ED3A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9619D4FE9F9A1359.TMP

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	22962
Entropy (8bit):	7.2323845873172745
Encrypted:	false
SSDEEP:	384:jwL5rXzTlMoTfntrAmBTmAqPfIRB4JiSrWcbQ3aNrUn2Dk6:k48fOfIMJiCO3aNrl
MD5:	A58BF3594E883D3D052CCF01466D68C0
SHA1:	0FA760271095A8C02A87069CD28AF250FFFA2200
SHA-256:	CDB80DB170AD53CB47FB62BB6EFDD0EFE93BD3DCB4B36596FFB1072A15A633EA
SHA-512:	9357191499051BD4B2FD92CD7229F1596CCD5FF4364FB2958C603B094220BCC4A1466C1483C89AAB24655AFB07F42D938C849CEA38DA8044D809E98A6004EAAD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.718956558480856
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	225'616 bytes
MD5:	8f195e5120614a9e3a734e496e1cc08f
SHA1:	e9cf4b56a535222a7e3755d4bcc1705aca7c15de
SHA256:	319a04d9599da49736e379f99d5dbabfc42f037b6e9b75db328bf05f37db7ae1
SHA512:	8412332a2dbf8643ee69264e1470379f512168785596bc7d29d75247c8866d893f01e9f7c03faca5588c3e7094cdc298b48157c4d112471e2e94be40cf40d224
SSDEEP:	6144:CbE/HU22prZK7ovHY6av4TVeO7+FU1FKLJBOFg45n73s:Cb1NZK4YxgTVeO7+F+KnIg4bs
TLSH:	712412507660D8C3C8E38773BE3A533A99BD837B66746E8303046A5C2E52351676F749
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	f9d49b792593090d

Static PE Info

General

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	08/05/2024 02:00:00 14/02/2025 00:59:59
Subject Chain	CN=FAST CORPORATION LTD, O=FAST CORPORATION LTD, L=Ra'anana, C=IL, SERIALNUMBER=515636181, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL
Version:	3
Thumbprint MD5:	04786BD703B906E22AECB2AD38CE4D94
Thumbprint SHA-1:	07BE42727905BE32C822A638502C1B8FAAE6540A
Thumbprint SHA-256:	FDB017BB88E5D453E22A73810690C72534F58EFB109EA0D4494EC393F2307DBC
Serial:	0E5C655E1CBE9A8879372F58A5BC0302

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F4AD8C8C12Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F4AD8C8C0FAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x75000	0x4a80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x347e8	0x2968
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	ce9df19df15aa7bfbc0a8d0af0b841d0	False	0.6661261792452831	data	6.458398214928006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	a118375c929d970903c1204233b7583d	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	82a10c59a8679bb952fc8316070b8a6c	False	0.521484375	data	4.15458210408643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x3f000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x75000	0x4a80	0x4c00	e24c4c098791e3921d9b8e42da598750	False	0.23514597039473684	data	4.4140297012897936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x751d8	0x3e28	Device independent bitmap graphic, 60 x 128 x 32, image size 0	English	United States	0.19343891402714933
RT_DIALOG	0x79000	0x1a0	data	English	United States	0.4110576923076923
RT_DIALOG	0x791a0	0x118	data	English	United States	0.6035714285714285
RT_DIALOG	0x792b8	0x12a	data	English	United States	0.587248322147651
RT_GROUP_ICON	0x793e8	0x14	data	English	United States	1.1
RT_VERSION	0x79400	0x250	data	English	United States	0.47466216216216217
RT_MANIFEST	0x79650	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States	0.5130841121495328

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:05:25.026767015 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.026818037 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.026943922 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.059727907 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.059775114 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.568691969 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.568778992 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.570764065 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.570777893 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.572256088 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.572321892 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.584734917 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.584892988 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.584955931 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.584969044 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.585032940 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.652651072 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.652942896 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.652965069 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.854208946 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.854293108 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:25.854352951 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.854388952 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.856117010 CET	49747	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:25.856138945 CET	443	49747	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.170500994 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.170567989 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.170660973 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.171915054 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.171936035 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.644088984 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.644155025 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.646461010 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.646471977 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.646806002 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.646847963 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.647850037 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.647913933 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.647950888 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.648008108 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.691333055 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.770385981 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.770458937 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.770489931 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.770504951 CET	443	49748	161.35.127.181	192.168.2.24
Jan 10, 2025 16:05:26.770533085 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.770551920 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.773461103 CET	49748	443	192.168.2.24	161.35.127.181
Jan 10, 2025 16:05:26.773480892 CET	443	49748	161.35.127.181	192.168.2.24

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:05:25.009273052 CET	55239	53	192.168.2.24	1.1.1.1
Jan 10, 2025 16:05:25.017757893 CET	53	55239	1.1.1.1	192.168.2.24

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:05:25.009273052 CET	192.168.2.24	1.1.1.1	0x1ca1	Standard query (0)	veryfast.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:05:25.017757893 CET	1.1.1.1	192.168.2.24	0x1ca1	No error (0)	veryfast.io	161.35.127.181	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:05:25.017757893 CET	1.1.1.1	192.168.2.24	0x1ca1	No error (0)	veryfast.io	64.227.17.224	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:05:25.017757893 CET	1.1.1.1	192.168.2.24	0x1ca1	No error (0)	veryfast.io	165.227.204.94	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

veryfast.io

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.24	49747	161.35.127.181	443	6364	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:05:25 UTC	240	OUT	POST /inst_cpg.php?src=fast_mini&guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&version=2.353&uc=16le HTTP/1.1 Content-Type: application/json User-Agent: NSIS_wininet Host: veryfast.io Content-Length: 3186 Cache-Control: no-cache
2025-01-10 15:05:25 UTC	3186	OUT	Data Raw: 7b 00 22 00 73 00 79 00 73 00 74 00 65 00 6d 00 5f 00 73 00 74 00 61 00 74 00 73 00 22 00 3a 00 7b 00 22 00 6f 00 73 00 5f 00 6e 00 61 00 6d 00 65 00 22 00 3a 00 22 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2b 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2b 00 31 00 31 00 2b 00 50 00 72 00 6f 00 22 00 2c 00 22 00 6f 00 73 00 5f 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 64 00 61 00 74 00 65 00 22 00 3a 00 22 00 32 00 30 00 32 00 34 00 31 00 32 00 30 00 39 00 31 00 39 00 31 00 30 00 31 00 39 00 25 00 32 00 45 00 30 00 30 00 30 00 30 00 30 00 30 00 25 00 32 00 42 00 30 00 36 00 30 00 22 00 2c 00 22 00 6f 00 73 00 5f 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 65 00 73 00 22 00 3a 00 22 00 31 00 31 00 35 00 22 00 2c 00 22 00 6f 00 73 00 5f Data Ascii: {"system_stats":{"os_name":"Microsoft+Windows+11+Pro","os_installdate":"20241209191019%2E000000%2B060","os_processes":"115","os_
2025-01-10 15:05:25 UTC	349	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:05:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
2025-01-10 15:05:25 UTC	243	IN	Data Raw: 65 38 0d 0a 7b 00 22 00 63 00 70 00 67 00 22 00 3a 00 22 00 22 00 2c 00 22 00 69 00 6e 00 73 00 74 00 5f 00 65 00 78 00 63 00 6c 00 22 00 3a 00 7b 00 22 00 65 00 75 00 6c 00 61 00 22 00 3a 00 22 00 73 00 6b 00 69 00 70 00 70 00 65 00 64 00 22 00 7d 00 2c 00 22 00 69 00 6e 00 73 00 74 00 5f 00 61 00 64 00 64 00 6f 00 6e 00 22 00 3a 00 7b 00 22 00 65 00 75 00 6c 00 61 00 22 00 3a 00 22 00 73 00 6b 00 69 00 70 00 70 00 65 00 64 00 22 00 7d 00 2c 00 22 00 69 00 6e 00 73 00 74 00 5f 00 61 00 64 00 76 00 61 00 6e 00 63 00 65 00 64 00 22 00 3a 00 7b 00 22 00 70 00 61 00 74 00 68 00 22 00 3a 00 22 00 31 00 22 00 2c 00 22 00 73 00 74 00 61 00 72 00 74 00 75 00 70 00 22 00 3a 00 22 00 31 00 22 00 7d 00 7d 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8{"cpg":"","inst_excl":{"eula":"skipped"},"inst_addon":{"eula":"skipped"},"inst_advanced":{"path":"1","startup":"1"}}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.24	49748	161.35.127.181	443	6364	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:05:26 UTC	240	OUT	GET /pixel.gif?guid=B85E4D56-FE7F-05B2-0505-26A7EDB43680&_fcid=&evt_src=installer&evt_action=show_page&version=2.353&page=wel HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: veryfast.io Connection: Keep-Alive Cache-Control: no-cache
2025-01-10 15:05:26 UTC	302	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:05:26 GMT Content-Type: image/gif Content-Length: 42 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains Accept-Ranges: bytes Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
2025-01-10 15:05:26 UTC	42	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 01 44 00 3b Data Ascii: GIF89a!,D;

Target ID:	1
Start time:	10:05:22
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	225'616 bytes
MD5 hash:	8F195E5120614A9E3A734E496E1CC08F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Banner.dll

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\GraphicalInstaller.dll

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\Math.dll

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\background.ole

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\background_small.ole

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\button.bmp

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\fast_background1-inner.jpg

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\fast_background1.jpg

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\inetc.dll

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsDialogs.dll

C:\Users\user\AppData\Local\Temp\nsvF50.tmp\nsJSON.dll

C:\Users\user\AppData\Local\Temp\~DF07896EEC56FC75D7.TMP

C:\Users\user\AppData\Local\Temp\~DF9619D4FE9F9A1359.TMP

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Setup.exe