Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SetupFA.exe

Overview

General Information

Sample Name:SetupFA.exe
Analysis ID:707890
MD5:6c685e04456f4354cf5e9a7d862ee97d
SHA1:e802b06cdef89596f240ab4e560e0378d3cf5ccb
SHA256:3f68f7ff284fc3d240d12405ffc79f13e1bf4d099dcfd64f8b03ead2efdf25b1
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:18
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Queries the installation date of Windows
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
EXE planting / hijacking vulnerabilities found
DLL planting / hijacking vulnerabilities found
PE file contains strange resources
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64_ra
  • SetupFA.exe (PID: 5760 cmdline: "C:\Users\alfredo\Desktop\SetupFA.exe" MD5: 6C685E04456F4354CF5E9A7D862EE97D)
    • chrome.exe (PID: 5964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/?p=lp_intro&src=fa&guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
      • chrome.exe (PID: 5220 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1780,i,7756689303587295199,3195362890431252432,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
    • fa_rss.exe (PID: 6792 cmdline: "C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe" /init default MD5: B7819E2C9ADA79F6123BA7A492E39715)
    • Fast! Installer.exe (PID: 7368 cmdline: "C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe" MD5: EC427B1BF867DC6FDFDFC2B5219F44DE)
      • chrome.exe (PID: 7536 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
        • chrome.exe (PID: 7764 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1624 --field-trial-handle=1892,i,1520342163169782111,17579895454764679597,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
      • SetupEngine.exe (PID: 7204 cmdline: "C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe" MD5: 5633DE5AF2C7D8E011EFE802CEC7B83E)
        • cmd.exe (PID: 5272 cmdline: cmd /c "C:\Users\alfredo\AppData\Local\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\alfredo\AppData\Local\Temp\testfile.temp" > C:\Users\alfredo\AppData\Local\Temp\dskres.xml MD5: 4943BA1A9B41D69643F69685E35B2943)
          • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
          • diskspd.exe (PID: 3060 cmdline: C:\Users\alfredo\AppData\Local\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\alfredo\AppData\Local\Temp\testfile.temp MD5: FC41CABDD3C18079985AC5F648F58A90)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SetupFA.exeReversingLabs: Detection: 45%
Source: SetupFA.exeVirustotal: Detection: 50%Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeReversingLabs: Detection: 27%
Source: C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\QFX1KV1T\SetupEngine[1].exeReversingLabs: Detection: 23%
Source: C:\Users\alfredo\Desktop\SetupFA.exeEXE: C:\Users\alfredo\AppData\Roaming\FA\uninstaller.exe
Source: C:\Users\alfredo\Desktop\SetupFA.exeEXE: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: IPHLPAPI.DLL
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: iertutil.dll
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: urlmon.dll
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: WININET.dll
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: DPAPI.DLL

Compliance

barindex
Uses 32bit PE files
Source: SetupFA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
EXE planting / hijacking vulnerabilities found
Source: C:\Users\alfredo\Desktop\SetupFA.exeEXE: C:\Users\alfredo\AppData\Roaming\FA\uninstaller.exe
Source: C:\Users\alfredo\Desktop\SetupFA.exeEXE: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe
DLL planting / hijacking vulnerabilities found
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: IPHLPAPI.DLL
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: iertutil.dll
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: urlmon.dll
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: WININET.dll
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeDLL: DPAPI.DLL
Creates a software uninstall entry
Source: C:\Users\alfredo\Desktop\SetupFA.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FA_RSS
Uses secure TLS version for HTTPS connections
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49690 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.231.198.40:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49795 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.216.160.53:443 -> 192.168.2.3:49840 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.222.214.19:443 -> 192.168.2.3:49866 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49892 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49921 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49994 version: TLS 1.2
Creates a directory in C:\Program Files
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
PE / OLE file has a valid certificate
Source: SetupFA.exeStatic PE information: certificate valid
Source: chrome.exeMemory has grown: Private usage: 6MB later: 26MB
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49968
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49964
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49964 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49929
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49959 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49909
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49903
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49901
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownDNS traffic detected: queries for: veryfast.io
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49690 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.231.198.40:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49795 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.216.160.53:443 -> 192.168.2.3:49840 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.222.214.19:443 -> 192.168.2.3:49866 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49892 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49921 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.215.103.17:443 -> 192.168.2.3:49994 version: TLS 1.2
Source: SetupFA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SetupFA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SetupFA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SetupFA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SetupFA.exeReversingLabs: Detection: 45%
Source: SetupFA.exeVirustotal: Detection: 50%
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile read: C:\Users\alfredo\Desktop\SetupFA.exe
Source: SetupFA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\alfredo\Desktop\SetupFA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\alfredo\Desktop\SetupFA.exe "C:\Users\alfredo\Desktop\SetupFA.exe"
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/?p=lp_intro&src=fa&guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1780,i,7756689303587295199,3195362890431252432,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess created: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe "C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe" /init default
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/?p=lp_intro&src=fa&guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess created: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe "C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe" /init default
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess created: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe "C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe"
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess created: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe "C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1624 --field-trial-handle=1892,i,1520342163169782111,17579895454764679597,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1624 --field-trial-handle=1892,i,1520342163169782111,17579895454764679597,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess created: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe "C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe"
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\alfredo\AppData\Local\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\alfredo\AppData\Local\Temp\testfile.temp" > C:\Users\alfredo\AppData\Local\Temp\dskres.xml
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\alfredo\AppData\Local\Temp\diskspd.exe C:\Users\alfredo\AppData\Local\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\alfredo\AppData\Local\Temp\testfile.temp
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess created: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe "C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe"
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\alfredo\AppData\Local\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\alfredo\AppData\Local\Temp\testfile.temp" > C:\Users\alfredo\AppData\Local\Temp\dskres.xml
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Users\alfredo\Desktop\SetupFA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile created: C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\pixel[1].gif
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile created: C:\Users\alfredo\AppData\Local\Temp\nsj8EB7.tmp
Source: classification engineClassification label: mal51.evad.winEXE@41/30@18/81
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile read: C:\Users\desktop.ini
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeFile created: C:\Program Files (x86)\Fast!
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\alfredo\Desktop\SetupFA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations
Source: C:\Users\alfredo\Desktop\SetupFA.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FA_RSS
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
Source: SetupFA.exeStatic PE information: certificate valid
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeFile created: C:\Program Files (x86)\Fast!\fast!.exeJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeFile created: C:\Users\alfredo\AppData\Local\Temp\diskspd.exeJump to dropped file
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile created: C:\Users\alfredo\AppData\Local\Temp\nst8EF6.tmp\WmiInspector.dllJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeFile created: C:\Program Files (x86)\Fast!\FastSRV.exeJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeFile created: C:\Users\alfredo\AppData\Local\Temp\nsm5515.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeFile created: C:\Users\alfredo\AppData\Local\Temp\nscEF03.tmp\SimpleSC.dllJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeFile created: C:\Users\alfredo\AppData\Local\Temp\nscEF03.tmp\nsExec.dllJump to dropped file
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile created: C:\Users\alfredo\AppData\Local\Temp\nst8EF6.tmp\INetC.dllJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeFile created: C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\QFX1KV1T\SetupEngine[1].exeJump to dropped file
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile created: C:\Users\alfredo\AppData\Local\Temp\nst8EF6.tmp\System.dllJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeFile created: C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\SetupResources[1].exeJump to dropped file
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile created: C:\Users\alfredo\AppData\Roaming\FA\uninstaller.exeJump to dropped file
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile created: C:\Users\alfredo\AppData\Local\Temp\nst8EF6.tmp\KillProc.dllJump to dropped file
Source: C:\Users\alfredo\Desktop\SetupFA.exeFile created: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeJump to dropped file
Source: C:\Users\alfredo\Desktop\SetupFA.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run fa_rss
Source: C:\Users\alfredo\Desktop\SetupFA.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run fa_rss
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe TID: 6796Thread sleep time: -8100000s >= -30000s
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe TID: 6796Thread sleep time: -23400000s >= -30000s
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe TID: 6796Thread sleep time: -900000s >= -30000s
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeDropped PE file which has not been started: C:\Program Files (x86)\Fast!\fast!.exeJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeDropped PE file which has not been started: C:\Program Files (x86)\Fast!\FastSRV.exeJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeDropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Temp\nsm5515.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeDropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\SetupResources[1].exeJump to dropped file
Source: C:\Users\alfredo\Desktop\SetupFA.exeDropped PE file which has not been started: C:\Users\alfredo\AppData\Roaming\FA\uninstaller.exeJump to dropped file
Source: C:\Users\alfredo\Desktop\SetupFA.exeDropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Temp\nst8EF6.tmp\KillProc.dllJump to dropped file
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeThread delayed: delay time: 900000
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeThread delayed: delay time: 900000
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeThread delayed: delay time: 900000
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess information queried: ProcessInformation
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeThread delayed: delay time: 900000
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeThread delayed: delay time: 900000
Source: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exeThread delayed: delay time: 900000
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/?p=lp_intro&src=fa&guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94
Source: C:\Users\alfredo\Desktop\SetupFA.exeProcess created: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe "C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe"
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeProcess created: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe "C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe"
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\alfredo\AppData\Local\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\alfredo\AppData\Local\Temp\testfile.temp" > C:\Users\alfredo\AppData\Local\Temp\dskres.xml
Source: C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\SetupFA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts331
Windows Management Instrumentation		1
Windows Service		1
Windows Service		3
Masquerading		OS Credential Dumping33
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		11
Process Injection		241
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)2
DLL Search Order Hijacking		1
Registry Run Keys / Startup Folder		11
Process Injection		Security Account Manager241
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)2
DLL Search Order Hijacking		2
DLL Search Order Hijacking		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon Script1
Extra Window Memory Injection		1
Extra Window Memory Injection		LSA Secrets1
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials223
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SetupFA.exe45%ReversingLabsWin32.Adware.FstApp
SetupFA.exe51%VirustotalBrowse
SetupFA.exe11%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
gstaticadssl.l.google.com
172.217.18.3
truefalse
    		high
    scontent.xx.fbcdn.net
    		31.13.92.14
    		truefalse
      		high
      s3.amazonaws.com
      		54.231.198.40
      		truefalse
        		high
        accounts.google.com
        		142.250.186.77
        		truefalse
          		high
          veryfast.io
          		3.215.103.17
          		truefalse
            		high
            www.google.com
            		142.250.184.196
            		truefalse
              		high
              clients.l.google.com
              		142.250.186.110
              		truefalse
                		high
                d1uyoz7mfvzv4e.cloudfront.net
                		52.222.214.36
                		truefalse
                  		high
                  clients2.google.com
                  		unknown
                  		unknownfalse
                    		high
                    connect.facebook.net
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://veryfast.io/?p=lp_intro&src=fa&guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94false
                        		high
                        https://veryfast.io/installing2.html?guid=11EB4D56-CD47-EB68-FB46-FB9922C35D94false
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          34.104.35.123
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          142.250.186.36
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          172.217.18.3
                          		gstaticadssl.l.google.comUnited States
                          		15169GOOGLEUSfalse
                          142.250.185.227
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          52.216.160.53
                          		unknownUnited States
                          		16509AMAZON-02USfalse
                          239.255.255.250
                          		unknownReserved
                          		unknownunknownfalse
                          3.215.103.17
                          		veryfast.ioUnited States
                          		14618AMAZON-AESUSfalse
                          142.250.186.110
                          		clients.l.google.comUnited States
                          		15169GOOGLEUSfalse
                          52.222.214.19
                          		unknownUnited States
                          		16509AMAZON-02USfalse
                          54.231.198.40
                          		s3.amazonaws.comUnited States
                          		16509AMAZON-02USfalse
                          216.58.214.10
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          142.250.186.77
                          		accounts.google.comUnited States
                          		15169GOOGLEUSfalse
                          52.222.214.36
                          		d1uyoz7mfvzv4e.cloudfront.netUnited States
                          		16509AMAZON-02USfalse

                          Private

                          IP
                          192.168.2.1
                          127.0.0.1

                          General Information

                          Joe Sandbox Version:36.0.0 Rainbow Opal
                          Analysis ID:707890
                          Start date and time:2022-09-22 16:14:11 +02:00
                          Joe Sandbox Product:CloudBasic
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:SetupFA.exe
                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                          Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • EGA enabled
                          Analysis Mode:stream
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal51.evad.winEXE@41/30@18/81
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 20.190.160.20, 20.190.160.22, 40.126.32.140, 20.190.160.17, 40.126.32.134, 40.126.32.133, 40.126.32.138, 40.126.32.76
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, prda.aadg.msidentity.com, login.live.com, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe
                          • VT rate limit hit for: C:\Users\alfredo\AppData\Roaming\FA\uninstaller.exe

                          Created / dropped Files

                          C:\Program Files (x86)\Fast!\FastSRV.exe

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):95936
                          Entropy (8bit):6.567389828914908
                          Encrypted:false
                          SSDEEP:
                          MD5:A1508FB72D1A12709BD069A6EDFC29B5
                          SHA1:BBE76275D8A44310ED3A82BE510F4A69EAAF76C1
                          SHA-256:B7D5365F9094911AE0B7E65B86254135F0B02E0BA15F3DF19E85BAE23185C67A
                          SHA-512:DA9B79490BCD5BCD27C1737126911AB449B1178C990E43BB16FB29AF324077CF72BD9A1B9F44F4A400A7B77420E126903399D27E0A79D029B45A3C13F7AA1F9F
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..^............D.......D.......D...........................6...D...........w...........'............Rich............PE..L......^..........................................@.......................................@..................................)..x....`...............B...4...p.. ...@ ..p...................T!....... ..@...............l............................text............................... ..`.rdata...a.......b..................@..@.data...P....@.......&..............@....rsrc........`.......0..............@..@.reloc.. ....p.......2..............@..B................................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Fast!\fast!.exe

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1946816
                          Entropy (8bit):6.559169663740982
                          Encrypted:false
                          SSDEEP:
                          MD5:499E3F85CE57EDC3FE3A6D004797FC67
                          SHA1:03076B8A5F77CA44829C6A154AB2E0B480C02D5F
                          SHA-256:B3ADFE4212450747D8D2E9245022AC7C81CFB85E6EFB6359E38D431FD87C3A6E
                          SHA-512:870AC44EDA08ED4850C8D742987E7AC5C150C30D1C19149BBCC3B118F9B00DE4CE58D84FFFBCA16BE278C907E4D784874CA5900F2993DB53BFCB5DF91E486D40
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]>..._dC._dC._dCB7gB._dCB7aB._dC.2`B._dC.2gB._dC.2aBs^dCB7`B8_dCB7eB<_dC._eC=\dCB7bB._dC.2mB._dC.2.C._dC._.C._dC.2fB._dCRich._dC........................PE..L......^.................8..........A........P....@.......................... ......j'....@.....................................h........................4..............p...................$...........@............P...............................text...l6.......8.................. ..`.rdata.......P.......<..............@..@.data........0...R..................@....rsrc................`..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Fast!\ui\css\font-awesome.min.css

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:ASCII text, with very long lines
                          Category:dropped
                          Size (bytes):31000
                          Entropy (8bit):4.746143404849733
                          Encrypted:false
                          SSDEEP:
                          MD5:269550530CC127B6AA5A35925A7DE6CE
                          SHA1:512C7D79033E3028A9BE61B540CF1A6870C896F8
                          SHA-256:799AEB25CC0373FDEE0E1B1DB7AD6C2F6A0E058DFADAA3379689F583213190BD
                          SHA-512:49F4E24E55FA924FAA8AD7DEBE5FFB2E26D439E25696DF6B6F20E7F766B50EA58EC3DBD61B6305A1ACACD2C80E6E659ACCEE4140F885B9C9E71008E9001FBF4B
                          Malicious:false
                          Reputation:low
                          Preview:/*!. * Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome. * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License). */@font-face{font-family:'FontAwesome';src:url('../fonts/fontawesome-webfont.eot?v=4.7.0');src:url('../fonts/fontawesome-webfont.eot?#iefix&v=4.7.0') format('embedded-opentype'),url('../fonts/fontawesome-webfont.woff2?v=4.7.0') format('woff2'),url('../fonts/fontawesome-webfont.woff?v=4.7.0') format('woff'),url('../fonts/fontawesome-webfont.ttf?v=4.7.0') format('truetype'),url('../fonts/fontawesome-webfont.svg?v=4.7.0#fontawesomeregular') format('svg');font-weight:normal;font-style:normal}.fa{display:inline-block;font:normal normal normal 14px/1 FontAwesome;font-size:inherit;text-rendering:auto;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.fa-lg{font-size:1.33333333em;line-height:.75em;vertical-align:-15%}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-fw{width:1.

                          C:\Program Files (x86)\Fast!\ui\css\opensans.css

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1800
                          Entropy (8bit):5.223532960977299
                          Encrypted:false
                          SSDEEP:
                          MD5:EDAB2AD532D5A2E8736176A0D455B1BD
                          SHA1:10C0BA9E3D9A8196A6852F9A264CA378D0961099
                          SHA-256:AEAC4EF506D8ECDA071169649D3A9D46344E8EEC246BA1C716499E9FAB05F7E4
                          SHA-512:3C059E4BD497C22AD7DD586ED5252C091BC63753BCE2065D566C94C5B7F2BEBE5F858D2FC812052926F69F5465AEAC9389917EDDEDF1B7D0BFE5D82808DA9158
                          Malicious:false
                          Reputation:low
                          Preview:/* cyrillic-ext */..@font-face {.. font-family: 'Open Sans';.. font-style: normal;.. font-weight: 400;.. src: local('Open Sans'), local('OpenSans'), url(opensans1.woff2) format('woff2');.. unicode-range: U+0460-052F, U+20B4, U+2DE0-2DFF, U+A640-A69F;..}../* cyrillic */..@font-face {.. font-family: 'Open Sans';.. font-style: normal;.. font-weight: 400;.. src: local('Open Sans'), local('OpenSans'), url(opensans2.woff2) format('woff2');.. unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;..}../* greek-ext */..@font-face {.. font-family: 'Open Sans';.. font-style: normal;.. font-weight: 400;.. src: local('Open Sans'), local('OpenSans'), url(opensans3.woff2) format('woff2');.. unicode-range: U+1F00-1FFF;..}../* greek */..@font-face {.. font-family: 'Open Sans';.. font-style: normal;.. font-weight: 400;.. src: local('Open Sans'), local('OpenSans'), url(opensans4.woff2) format('woff2');.. unicode-range: U+0370-03FF;..}../* vietnamese */..@font-face {.. font-fam

                          C:\Program Files (x86)\Fast!\ui\css\opensans1.woff2

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:Web Open Font Format (Version 2), TrueType, length 16868, version 1.6554
                          Category:modified
                          Size (bytes):16868
                          Entropy (8bit):7.9880541218783945
                          Encrypted:false
                          SSDEEP:
                          MD5:4B60E71334D025BE8BD843ACC59753E1
                          SHA1:E0350190D720A8FEC0557AB47B318EC4E4486448
                          SHA-256:CDD6F09441727E4AC6FA370E2B8221EE3C2892265CB618AFA35643CBDD5B7617
                          SHA-512:B7ED2906BEAE601AAAF9249BE565C1F6A6F29FD9D2C36F7C8338AAD97B4ADD5CD8F7023F8EB5491A660E252021BD247B8C65564F2D2C1AC17B7972D754A568AB
                          Malicious:false
                          Reputation:low
                          Preview:wOF2......A...........A..........................".....`....."..4.....T..D.6.$..p..<.. ..2..J....:r5l.....*.p._.h$B.820.kGE.q.(..d..9.r...<.jY........foL.%.S)tl....K..d.K.U*...O3.{...2.Gs...Z.5.Db.@g..)."....T$..c.?.7.Z...M..../..c..q....'fZ...q..2..8.3.n..i..~~.3..&5.}.7.w..$...*.t,.......~.&.L5.{f.?.lh..37......fbb.z..g.TLT...&..q.....E?.#y...v..}o?5.L..q.d.%.j Q...:.....&uV..Zq.-.8a.E../.oF.X..4T.s..E.E....*.jw*..H..?.L/.!K.....).#].L....6<.}.e.[2.RW....n.e....=..W..A......yY}..TE..U%...8...:+.v.}C|.PQG`.&..V~..].Yh..$y`...F..r..Bb.......I..t..*..7.FM.Q...v.-...Xc.;..D.6.{.L.\...:..._..{.HH.8X.\t....Y..[(...^......I.....dJ....9J..r...\t..K..g.....(@T.u...;..{......t..O}....B......:...s.s.(..K[.....wI.8....~9z........ .n .?I.xXv.L.`.)...2t....Ru. .t8.D.....q.....7.!.....$...F....5.5]....."...| ..xU)......{.~..~..y......a..!.iU.H.W1.....Q.8...&...Z..d S.VjUA...&.....#....l ..,.@SB$.d@..W../...A.....la..d\........S.f.[0..u.U7...ST/...W?.]1.@..6.P..

                          C:\Program Files (x86)\Fast!\ui\css\opensans2.woff2

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:Web Open Font Format (Version 2), TrueType, length 9676, version 1.6554
                          Category:dropped
                          Size (bytes):9676
                          Entropy (8bit):7.974841909039616
                          Encrypted:false
                          SSDEEP:
                          MD5:85759F54539623A05BF2E5A3F6799DAF
                          SHA1:BE201D32A9AA5D186723EBB3C538BE691AA8C53A
                          SHA-256:CF84A7B7066A47F6973D447ABE36D8B8247A2949DC66363F2CD861767885ABC2
                          SHA-512:9BEDED6DB64CB808B4E61F0ED26B26CE03A20ACF68275A5CFE7079758D6A72A791F273A6E939018B338EA414D2E3B149C92BCFD0313725F14BAA87F1B790FF51
                          Malicious:false
                          Reputation:low
                          Preview:wOF2......%.......J...%j.........................(.....`....."..4....x.P.6.$.. ..f..... ..2..?....UA......l....$B.8@.AU............j...u..nm.........Z...,.R.U:.M....9t...T^U....d...?..*0...:...Z.Y....|...5a.>\W.j....gi......._.e0.p....&C.2y.\..lr....+..b....gZ.....CX.a...Q7..3}_....Z.....r.d.cW!.:_...M.\ ...1.K...r-...p..m...vvba...D.h.X.2"X3.....Q(F.0zel....wV.....e.....{.8=.f.....}......0.)..t..M.T.._Q.pS...f.I.u....<.......U.......$...T.....9q.!.[.h...Cy.AvR.. ..;....'F|.......*.I$....=t.........pT.f.c.Bq...XOB.......S......Z...a....uz..9.2\$'.|.........$;......B.%...|...T.MsE...uy..-..2.......,.0T....rYr..B(.......P'.J..B.....k..^nB&.!..,4"..g. .Z.sA.!!....a..^...........mz..y].JB;~F....'2. .....J.......=...%?A.n...s..n.'....O..Jxe)*..!M.JBhL.cD..8.6..4?L...p....;~...x.....Pyx.......O...."...}.#.0.....T1.i...k.j..t/..?.%L83...c...!.......m.J@.......zf...(.~.u../..x'...V.X.\iP...8..q..n5...9}.MAI..%.A.s_.o.2.....%.A...~..@M..n*L.....H\

                          C:\Program Files (x86)\Fast!\ui\css\opensans3.woff2

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:Web Open Font Format (Version 2), TrueType, length 2332, version 1.6554
                          Category:dropped
                          Size (bytes):2332
                          Entropy (8bit):7.869949868745035
                          Encrypted:false
                          SSDEEP:
                          MD5:F736E54388BFAAD417DF1B30814B6AAE
                          SHA1:2C5B039B57F62625E88226A938679EC937431AD1
                          SHA-256:5CED1FBF1C36965E6A61DDCB52D7AD7CC43A8A6096A8E40AE2405BFBB3153FAD
                          SHA-512:4BEC4A9EFC6FDB22F805F5CF61F765C8DEB259C72748DE6069714AF0D4287B435583F8ADA6637DF3B139AE4CF5BD3AB805088C99888C10F54E9981C34DADC991
                          Malicious:false
                          Reputation:low
                          Preview:wOF2...................................................`.,.."..4....`.E.6.$...... ..2.G......Q.M.I.E..b.%%..XH`<-....FF..w7b(...}......5d..oq).....Z._N.L$.H..N....d.c....S...2y9o.,\..}...z]`:v..1A....y..y@..").r.#.e..a.....C..i?W'.F.-..Nf..}...#...I)C.. $J&..26..7f .H.<.....b1j.....+.[.`6....J^..&.o?@..2.... .....]._......$q...S......w`UY.8.9.$..}W....dg..p.%X.H.e..+..ZCt.....%.W...r.o...`...!........].-.......{.5 6....-....j...Y..\..G...o5..Z....'..+.Q,.s......cG..>tp......R.Vv..e.....".P0..y=...Eb...h..0.9.l...f...J6R..W.M.r..9Hm.).....:..)........@.G2.....v...<..?.7.IcnUE............=......Xa2....D,.....^.l."j_i.q. ......g..5n..U.....Y.X.B{../`...q?.....)..d......p.p.8. <../c2.;X.w<..E....+.....1...O..4.Qq.....wN.H.....J.$u...RZ..Qb.$l......2.n4*.5..U^..^.........9f...R...1..V.3N...3...&....1..G..rU.....a....z.r...i.%....[.RuMu.f*_.hp.^.2.....`....)71...**.+...n..E..v../....*{.2.!'P....E.....(k.hq........f3XN......*......v;.A.-..a....X~c.

                          C:\Program Files (x86)\Fast!\ui\css\opensans4.woff2

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:Web Open Font Format (Version 2), TrueType, length 8160, version 1.6554
                          Category:dropped
                          Size (bytes):8160
                          Entropy (8bit):7.9700811821881645
                          Encrypted:false
                          SSDEEP:
                          MD5:C09EA514A21D4A93BC0C4A96ED503A59
                          SHA1:BE365ECA44760CE3FC9B377C43D4634958479C69
                          SHA-256:F66947CEC51A5785E6F9CA02F45E8F0D22D43BA818ED114366D033E14458BC84
                          SHA-512:19365BC788085CA00F86DC74ABCCC77B48CC9F0BFE11093B52165B049ADDA5DC16B48598BD878AE2816465CB1AD70A4F134C4619CE58C8A76FCF15380B05B285
                          Malicious:false
                          Reputation:low
                          Preview:wOF2..............<|.............................(.....`.|.."..4....l.x.6.$........H.. ..2..6.....6....w.*........d....r.MX...."N....0..PFNX1...i.u.......Q.n..C.1.._...N..%,5:D...T....;L..?...D.^....<...xD.u...#..>..g2=...;.&..k(%A..}....u...p |H.W.%...@!\.........."..>/rK....W^...}..W.....@........X{@..z?.#..ga.5.LP2PuU.....\._..U.......&*.... .......TK..OJ......i#.lV..z\...m.Pj]4..SqZ. W.Y.Snr9..a...c..;].@....R.5.JV..Q...b...).:.gVY7....*b...L....B%4....B.f.. w........Y.?s..%i....2a.J.Q..B.g..O........u.2.i....i|(.l..T_.a.w.AP>,j.,a..IJ...IYO.sj9K.r.!.%.........$=...uLT......."X.y..yr....XSk..f....`....3.>A.....H...zd.q.E@.8.y3....u..7.......vv.(D.m..A..sZ%.@!...p.F1%..Y/.<H$.._!....=.'....\\y.A%|.rXD.....3.i.e.8Q..LR....p.........GI.EC.....x..1?.D....}6....Tm^......L.".w...(.nZH..<N=n...DU.S.NY2..$...,....D...2.,.....r.H..tg..m....1.>....."..$.,...s...4tM.".O..~.Z...d.m..2..VRpF. ....Ef..a%..P.Jb4g..Il(..s..X.J.V.C9c.\...e..V...+t....

                          C:\Program Files (x86)\Fast!\ui\index.html

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:HTML document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):7900
                          Entropy (8bit):5.182745289197122
                          Encrypted:false
                          SSDEEP:
                          MD5:C3D925EF0D88E8D8372830FFA9CFAF9C
                          SHA1:2577C96F15DDEA2E647FBD5AACABF9FFA6F1F984
                          SHA-256:E83A36C8F39A084F1C2D118875747650CAB7F4A5D6489ACDCCE03D0D6B882910
                          SHA-512:49177260DE2361DA28B3045E4A5D513B19CA58006C3E9AEBFFD8853B4257D3C0295F053782E15E57DF238EBD3F020586169CC753D80DDCFE8036122DC42E73F5
                          Malicious:false
                          Reputation:low
                          Preview:<html>..<head>......<link href='css/opensans.css' rel='stylesheet'>..<link href='css/style.css' rel='stylesheet'>....<style>....</style>......</head>....<script src="js/jquery-2.1.4.min.js"></script>..<script src="js/circle-progress.js"></script>..<script src="js/chart.min.js"></script>....<video id=fastvid style='display:none; position: fixed; top:0; bottom:0; left:220px; right:0; z-index:0;' width='100%' height='100%' xloop nocontrols xautoplay>...<source src='vid/fast.webm' type='video/ogg'>..</video>......<body style="display:none; background:#111514;">....<div id=welcomeToFast style="position:absolute; top:150px; left:100px; font-size:42px; display:none"></div>....<div id=topHeadline style="position:absolute; top:10px; left:0px; width:100%; text-align: center;"></div>.. div id=topActivateBtn style="position:absolute; top:40px; left:0px; width:100%; text-align: center; font-size:14px; cursor:pointer; Display:none">Click Here to Activate Immediately</div-->....<div id=minimizeIc

                          C:\Program Files (x86)\Fast!\ui\notify.html

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:HTML document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1666
                          Entropy (8bit):5.339040171867944
                          Encrypted:false
                          SSDEEP:
                          MD5:EBAC1E1B46C40E3E46C4845C3EE223BE
                          SHA1:86105E4884A664A898E1598E40C31250D007CB67
                          SHA-256:AFD3C163BC581B1F24683CAFBD9CE2EC5C24F2C57FAB2382FEBE9194B94CB277
                          SHA-512:9D74108AF0DAD9FFF67462133443AF1C832286F1B75397AAFAEDAB425DFD65BD0955637F5205F387E98202D564F6C524FD497189708EB7F7A08483B971B9879C
                          Malicious:false
                          Reputation:low
                          Preview:<html>..<head>....<link href='css/opensans.css' rel='stylesheet'>..<link href='css/style.css' rel='stylesheet'>....</head>....<body style="background:transparent; display:none" onclick='onClk()'>..<div style='position:absolute; left:0px; top:0px; bottom:0px; right:0px; background:black; opacity:0.4'></div>..<img src='images/fast.png' style='position:absolute;left:10px;top:40px'>..<span id=notifyClose style='position:absolute; right:10px;top:10px;font-size:10px; cursor: pointer; display: none;' onclick="event.stopPropagation(); closeMe();">X</span>..<span id=notifyText style='position:absolute;left:50px;top:30px;font-size:16px'>..</span>..</body>....<script src="js/jquery-2.1.4.min.js"></script>....<script>..var gui = require('nw.gui');..var win = gui.Window.get();....win.x = screen.availWidth-win.width;..win.y = screen.availHeight-win.height;....win.setAlwaysOnTop(true);..win.show();....$('body').fadeIn("fast");....function getQueryParams(qs) {.. qs = qs.split('+').join(' ');....

                          C:\Program Files (x86)\Fast!\ui\package.json

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):334
                          Entropy (8bit):4.584871869417259
                          Encrypted:false
                          SSDEEP:
                          MD5:04B3F58E3D1DEEEA1FB93746C618F358
                          SHA1:3DF691AC206AD0A89B603DB034A760BA7CE1C98C
                          SHA-256:91E700C9BDA2B8B0AD9479429B4DB598BF0DF5D0D7DD8D406BCCC214E0B4CE0D
                          SHA-512:A8CC90B0DC721EBF357E4F7B07D34F603B75455191664686584639CAC7BC9F824E185398F3889E103BBDEDADB8872896F6356E995460F64EA96576AD46C1574B
                          Malicious:false
                          Reputation:low
                          Preview:{.. "name": "FAST!",.. "main": "index.html",.. "window": {.. "title": "FAST!",..."icon": "images/fast.png",.. "toolbar": false,.. "width": 800,.. "height": 450,.. "show": false,.. "resizable": false,.. "frame": false,.. "transparent": true,.. "show_in_taskbar": false,..."always-on-top": true.. } ..}..

                          C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\cpg_fa[1].htm

                          Download File
                          Process:C:\Users\alfredo\Desktop\SetupFA.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):7
                          Entropy (8bit):2.8073549220576046
                          Encrypted:false
                          SSDEEP:
                          MD5:C21F969B5F03D33D43E04F8F136E7682
                          SHA1:7505D64A54E061B7ACD54CCD58B49DC43500B635
                          SHA-256:37A8EEC1CE19687D132FE29051DCA629D164E2C4958BA141D5F4133A33F0688F
                          SHA-512:1625CDB75D25D9F699FD2779F44095B6E320767F606F095EB7EDAB5581E9E3441ADBB0D628832F7DC4574A77A382973CE22911B7E4DF2A9D2C693826BBD125BC
                          Malicious:false
                          Reputation:low
                          Preview:default

                          C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\SetupResources[1].exe

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Category:dropped
                          Size (bytes):55410880
                          Entropy (8bit):7.998952021709674
                          Encrypted:true
                          SSDEEP:
                          MD5:884E1463B4CB20B28C3A80960E02AC2D
                          SHA1:E6BFBCD90FEF4918754393F02B8D9D5A30B3D260
                          SHA-256:94C3E4DB939C00F36DB55C752A7E452B8B76DA4752EA01491E2DE3FED2FE9C21
                          SHA-512:3332415DED6FD0C8358769A3639DA30CE1A2FC738E07222848064DBDD49834AD59E06F039D69DDAEAE732A2699EA037DA18C83C849EB64CDACA10340E1AC4492
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.*]...RF..RG.pRF.*]...RF.qv..RF..T@..RF.Rich.RF.........................PE..L...oy.V.................`...........1.......p....@...................................N......................................t......................8lM..............................................................p...............................text...<^.......`.................. ..`.rdata..j....p.......d..............@..@.data...8]...........x..............@....ndata...................................rsrc............ ...~..............@..@................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\pixel[1].gif

                          Download File
                          Process:C:\Users\alfredo\Desktop\SetupFA.exe
                          File Type:GIF image data, version 89a, 1 x 1
                          Category:dropped
                          Size (bytes):42
                          Entropy (8bit):2.9881439641616536
                          Encrypted:false
                          SSDEEP:
                          MD5:D89746888DA2D9510B64A9F031EAECD5
                          SHA1:D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
                          SHA-256:EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
                          SHA-512:D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
                          Malicious:false
                          Reputation:low
                          Preview:GIF89a.............!.......,...........D.;

                          C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\register[1].htm

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):29
                          Entropy (8bit):2.4688702187432865
                          Encrypted:false
                          SSDEEP:
                          MD5:86CF4BCCD386456CA8091DEC847A0AD1
                          SHA1:F6E3A73D7A1284A46E62EDCEBC7351FF6854CF65
                          SHA-256:002A1BEFFB815578D1551DF0D56F2153EAFDE7DCE1902FB3328421242726C19B
                          SHA-512:620FACF072B2BF312180A0A5A48BF5688F9D53AD4699B5D676E041C4840082A87F5AD7DD82C216F1B5136FA1AF89EFF7FAEAEFED0F20547355B057A3DE4C61B7
                          Malicious:false
                          Reputation:low
                          Preview:0,0,0,1,2,64,2,5,256,1,2,64,1

                          C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\QFX1KV1T\SetupEngine[1].exe

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Category:dropped
                          Size (bytes):2665608
                          Entropy (8bit):7.9968054029398585
                          Encrypted:true
                          SSDEEP:
                          MD5:5633DE5AF2C7D8E011EFE802CEC7B83E
                          SHA1:681D6BDFB53BC36FC3DE4148CCC7B926775E8BC6
                          SHA-256:28A7BAAFD30B03E8493C15BD1ACEB491502CFB2D90FA13110C4E19132BFDBE4D
                          SHA-512:AACA439DAC7DD2CC5A2E4DE4B3A6B0E8382CE8019D2D3ECD155525217995A11263B4615B605D8DA2938D33B2B78B0E6F7000079BEE253E41A7BBEE578F3BF043
                          Malicious:true
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.*]...RF..RG.pRF.*]...RF.qv..RF..T@..RF.Rich.RF.........................PE..L...oy.V.................`...........1.......p....@..................................)......................................t..........x............w(..4...........................................................p...............................text...<^.......`.................. ..`.rdata..j....p.......d..............@..@.data...8]...........x..............@....ndata...................................rsrc...x........ ...~..............@..@................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Local\Temp\diskspd.exe

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):144688
                          Entropy (8bit):6.667845757025275
                          Encrypted:false
                          SSDEEP:
                          MD5:FC41CABDD3C18079985AC5F648F58A90
                          SHA1:51A619DDCB3661AA8675C2D7483840AC4F991746
                          SHA-256:FA159F50E67FB5829F0F2511E25111C719411E6B6152FEA97F3A296264C7D7A4
                          SHA-512:691090B54CE52D7E8BCFFF2711ADE7A6A8BB21B409358D7BFFC2053A53C116C7C22896F21BA36945A54F094D963CD9361A132D2E165365FE287C02F3C60356ED
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...s..s..s.....z.....f.....{.....x..s........x......r......r..Richs..........PE..L...O.*W..........................................@..........................`............@...... ...........................!..x....0.. ............&..0....@..........8...............................@............ ...............................text...8........................... ..`.data...h...........................@....idata..j.... ......................@..@.rsrc... ....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Local\Temp\dskres.xml

                          Download File
                          Process:C:\Windows\SysWOW64\cmd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):2627
                          Entropy (8bit):5.176646499911798
                          Encrypted:false
                          SSDEEP:
                          MD5:0C1749E85848B08808597F34510A256C
                          SHA1:99D30BA93EFE28E2863007CF44B2A5B8CFF2551D
                          SHA-256:B6A0AF3FBE13A651ED5E6B11AD99E505A43F985C3E78FA1CE51B28CDA24B8EBA
                          SHA-512:ABA3F8AA55A2302614B3B40727D42DF936318CC73C90CCF3F601FDA9BC3C729E9B434B0FBF4C08CBBE55F2E70DD3B596F10C7277A8EDAD57FD0F991FC872F0A3
                          Malicious:false
                          Reputation:low
                          Preview:<Results>..<System>..<ComputerName>830021</ComputerName>..<Tool>..<Version>2.0.17a</Version>..<VersionDate>2016/5/01</VersionDate>..</Tool>..<RunTime>2022/09/22 14:16:34 GMT</RunTime>..<ProcessorTopology>..<Group Group="0" MaximumProcessors="2" ActiveProcessors="2" ActiveProcessorMask="0x3"/>..</ProcessorTopology>..</System>..<Profile>..<Progress>0</Progress>..<ResultFormat>xml</ResultFormat>..<Verbose>false</Verbose>..<TimeSpans>..<TimeSpan>..<CompletionRoutines>false</CompletionRoutines>..<MeasureLatency>false</MeasureLatency>..<CalculateIopsStdDev>false</CalculateIopsStdDev>..<DisableAffinity>false</DisableAffinity>..<Duration>10</Duration>..<Warmup>5</Warmup>..<Cooldown>0</Cooldown>..<ThreadCount>0</ThreadCount>..<IoBucketDuration>1000</IoBucketDuration>..<RandSeed>0</RandSeed>..<Targets>..<Target>..<Path>C:\Users\alfredo\AppData\Local\Temp\testfile.temp</Path>..<BlockSize>4096</BlockSize>..<BaseFileOffset>0</BaseFileOffset>..<SequentialScan>false</SequentialScan>..<RandomAccess>fa

                          C:\Users\alfredo\AppData\Local\Temp\nscEF03.tmp\SimpleSC.dll

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):62976
                          Entropy (8bit):6.324320451317714
                          Encrypted:false
                          SSDEEP:
                          MD5:D63975CE28F801F236C4ACA5AF726961
                          SHA1:3D93AD9816D3B3DBA1E63DFCBFA3BD05F787A8C9
                          SHA-256:E0C580BBE48A483075C21277C6E0F23F3CBD6CE3EB2CCD3BF48CF68F05628F43
                          SHA-512:8357E1955560BF0C42A8F4091550C87C19B4939BF1E6A53A54173D1C163B133B9C517014AF6F7614EDDC0C9BBF93B3B987C4977B024B10B05B3DC4EB20141810
                          Malicious:false
                          Reputation:low
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......`.............@..........................0..................................................R.... ..............................................................................................................CODE....x........................... ..`DATA....@...........................@...BSS.....y................................idata..R...........................@....edata..............................@..P.reloc..............................@..P.rsrc........ ......................@..P.............0......................@..P................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Local\Temp\nscEF03.tmp\nsExec.dll

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\SetupEngine.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:modified
                          Size (bytes):6656
                          Entropy (8bit):5.036421331647997
                          Encrypted:false
                          SSDEEP:
                          MD5:F9BE9E9ED447E7650434A7E46431BAEA
                          SHA1:574080E6BD862099BDDBB4330D513CE0E2E9C506
                          SHA-256:5797BA15A18B8C713DF62D4A630DDD81FEFEEB01A87D65D486D829991A1EDC83
                          SHA-512:C939476C27A49B1D7EAC2657453FD3E1027AF5125FD750897E9315B36A48851D43196022E48F0D2DD5DE20BE94D3F6ECE09190ED6009C60D7FE35A8649499C1F
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L...\y.V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...H........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Local\Temp\nsm5515.tmp\modern-wizard.bmp

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe
                          File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4
                          Category:modified
                          Size (bytes):26494
                          Entropy (8bit):1.9568109962493656
                          Encrypted:false
                          SSDEEP:
                          MD5:CBE40FD2B1EC96DAEDC65DA172D90022
                          SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
                          SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
                          SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
                          Malicious:false
                          Reputation:low
                          Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

                          C:\Users\alfredo\AppData\Local\Temp\nsm5515.tmp\nsDialogs.dll

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\Fast! Installer.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):9728
                          Entropy (8bit):5.052729239776183
                          Encrypted:false
                          SSDEEP:
                          MD5:C4BE29CD82D2D02FABADB153C8A54846
                          SHA1:8E7DC6B67ECAB045C735715C2D4E524CA6E774A4
                          SHA-256:1D85D2A1216909905B095284894BFC54840C15E949B1BC8711734EEEA795A60F
                          SHA-512:7ED721125672765B3774FE512DFF2B6AB7017D75409E2218C54809FD91FC37FF9356C0C2E11F8F05AED0F3FC515B90299A8B98EF611AD575B080AF0A4716F237
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.cXN`0XN`0XN`0XNa0mN`0.A=0UN`0.mP0]N`0.Hf0YN`0.nd0YN`0RichXN`0........................PE..L...\y.V...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...G........................... ..`.rdata..k....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..<....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Local\Temp\nst8EF6.tmp\INetC.dll

                          Download File
                          Process:C:\Users\alfredo\Desktop\SetupFA.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22016
                          Entropy (8bit):5.668346578219837
                          Encrypted:false
                          SSDEEP:
                          MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
                          SHA1:D850013D582A62E502942F0DD282CC0C29C4310E
                          SHA-256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
                          SHA-512:581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Local\Temp\nst8EF6.tmp\KillProc.dll

                          Download File
                          Process:C:\Users\alfredo\Desktop\SetupFA.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                          Category:dropped
                          Size (bytes):25088
                          Entropy (8bit):7.591489461851231
                          Encrypted:false
                          SSDEEP:
                          MD5:6C2B245E89428FB917A5805815A4054E
                          SHA1:5BCD987700DD761F02D2D1D024B8F20077985051
                          SHA-256:0558BBDFE61EEFB680E8560A7D4B174447A9516098F9CD8B4C84BF1552CEE5C5
                          SHA-512:ECB3FB77532D6FFA1CA08DF05A6A86B18138356E63CB40EDF68F97FC7FDF2E781A4EBEB1EFDB9F13F947304312DD19EF5C4A78DDC60843F5F726CDE69B2C57D4
                          Malicious:false
                          Reputation:low
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................`...........$.......0....@..........................@.......................................6..h...\5..<....0..\....................7......................................................................................UPX0....................................UPX1.....`.......V..................@....rsrc........0.......Z..............@..............................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                          C:\Users\alfredo\AppData\Local\Temp\nst8EF6.tmp\System.dll

                          Download File
                          Process:C:\Users\alfredo\Desktop\SetupFA.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):10752
                          Entropy (8bit):5.7433628862644
                          Encrypted:false
                          SSDEEP:
                          MD5:0FF5120F1AFD0F295C2BAA0F7192D3F8
                          SHA1:BDE842D5D11005DCB4FF1D4EA97DA31865477697
                          SHA-256:4CA5BF1BEB4B802914C4D3E2F37861F6BA5ECF969CFEADF5855EDF58F647A721
                          SHA-512:E049FFD7AACE8D136EEE007EE4F8DBC2AE8F3DCE79D1C633D9654392240F8215787DF8A6D08085257DB51F28FF2A8023A13333DDA3EA7F9BDC8B9C57B605F0A0
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L...^y.V...........!.................).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text............................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Local\Temp\nst8EF6.tmp\WmiInspector.dll

                          Download File
                          Process:C:\Users\alfredo\Desktop\SetupFA.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):118784
                          Entropy (8bit):6.425120053243541
                          Encrypted:false
                          SSDEEP:
                          MD5:74C44D664457CEC263E2E2BC1C59CD7A
                          SHA1:3C30917C961042933911D796A18CE338C5960BF3
                          SHA-256:C2E0A3F3540E05FB36F1A17B0228FF4BA2C6BCEC89D9F806CD281C4D8D42161B
                          SHA-512:9C0483ACF134F6FD727E2F8BA536953A3515EC7C3518DFF58F50D92573F033D9E2FE9DA65A62B6B32ABE393F2F79F32F611F4AFA947FF4A37C08C07E00814497
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$p.-`..~`..~`..~&@.~u..~&@:~...~...~a..~&@;~S..~...~i..~`..~...~mC?~a..~mC.~a..~mC.~a..~mC.~a..~Rich`..~........................PE..L....^UV...........!................Sp.......@............................... ............@.........................p...2.......P...............................p....A..8...............................@............@..<............................text...L-.......................... ..`.rdata..Nn...@...p...2..............@..@.data....:..........................@....rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Local\Temp\temp_event

                          Download File
                          Process:C:\Users\alfredo\Desktop\SetupFA.exe
                          File Type:ASCII text, with no line terminators
                          Category:modified
                          Size (bytes):2
                          Entropy (8bit):1.0
                          Encrypted:false
                          SSDEEP:
                          MD5:444BCB3A3FCF8389296C49467F27E1D6
                          SHA1:7A85F4764BBD6DAF1C3545EFBBF0F279A6DC0BEB
                          SHA-256:2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF
                          SHA-512:9FBBBB5A0F329F9782E2356FA41D89CF9B3694327C1A934D6AF2A9DF2D7F936CE83717FB513196A4CE5548471708CD7134C2AE99B3C357BCABB2EAFC7B9B7570
                          Malicious:false
                          Reputation:low
                          Preview:ok

                          C:\Users\alfredo\AppData\Local\Temp\testfile.temp

                          Download File
                          Process:C:\Users\alfredo\AppData\Local\Temp\diskspd.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):104857600
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:
                          MD5:2F282B84E7E608D5852449ED940BFC51
                          SHA1:2C2CECCB5EC5574F791D45B63C940CFF20550F9A
                          SHA-256:20492A4D0D84F8BEB1767F6616229F85D44C2827B64BDBFB260EE12FA1109E0E
                          SHA-512:2798503C2C7B718799324122137BF30A562AAD1BC04BBF343DAAD225A5FD0D1FD5D269843A01AB00D4F8D8C5AB34F8956065F9831EF7459E9C487E895099E956
                          Malicious:false
                          Reputation:low
                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Roaming\FA\fa_rss.exe

                          Download File
                          Process:C:\Users\alfredo\Desktop\SetupFA.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):173248
                          Entropy (8bit):6.6479028323473806
                          Encrypted:false
                          SSDEEP:
                          MD5:B7819E2C9ADA79F6123BA7A492E39715
                          SHA1:E7F05363626233ACE6DFD7C7E8055B5B304B7257
                          SHA-256:3C153E1C96C5FFF2C5ED5AADA23E1EC65EECE4A64891B104164B5728276FEFAE
                          SHA-512:005B67A73FA0879F6C1B203FFD2ABBB330A36D0C3B84D684AB0163E9E8B67A5347AFA0B8194AFC9D817E3B6B581FEF1E0516EF7A5A9D4C6CCB8B4F85AE71EB0A
                          Malicious:true
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S...................W...........................................i...V.....V.t....V.....Rich...........PE..L....rL^.....................>.......\............@..........................0............@.................................4J.......................p...4...........5..p....................6.......6..@...............T............................text...L........................... ..`.rdata..:...........................@..@.data.......`.......H..............@....rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................................................................................

                          C:\Users\alfredo\AppData\Roaming\FA\uninstaller.exe

                          Download File
                          Process:C:\Users\alfredo\Desktop\SetupFA.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Category:dropped
                          Size (bytes):144992
                          Entropy (8bit):7.659683959927693
                          Encrypted:false
                          SSDEEP:
                          MD5:716ECD6BCD635F7787C9B8AF33192611
                          SHA1:533F52DD61928D45DF5C461B8E5EB335E2D1E49E
                          SHA-256:A291878878FE863DB83FD213BC461C06618CC0F2F24F6054583471BAFC82949F
                          SHA-512:3F24FA77FE06FC26AB6E7A0C8C321384F9112B3E6DFD3519C4E7984BB1AD37479AF7B48F5A34C11CBEF22AB4B248437E922BD7D24DEE3BDEFBC59E15E42744E0
                          Malicious:false
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.*]...RF..RG.pRF.*]...RF.qv..RF..T@..RF.Rich.RF.........................PE..L...oy.V.................`...........1.......p....@.......................... ......,........................................t..........hA..........0[...4...........................................................p...............................text...<^.......`.................. ..`.rdata..j....p.......d..............@..@.data...8]...........x..............@....ndata...................................rsrc...hA.......B...~..............@..@................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Entropy (8bit):7.910997719941767
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:SetupFA.exe
                          File size:364528
                          MD5:6c685e04456f4354cf5e9a7d862ee97d
                          SHA1:e802b06cdef89596f240ab4e560e0378d3cf5ccb
                          SHA256:3f68f7ff284fc3d240d12405ffc79f13e1bf4d099dcfd64f8b03ead2efdf25b1
                          SHA512:4795310733b87fe830237222f150d9d83815d3c07b866522be7a312b28e3a2b634b0e1fc568dea6ce8b6766d4ccbb8c24fdad2d2a9495c3893e5a32b4f35d411
                          SSDEEP:6144:ynx1QXNVH6vrvaa6TYo+5WoEXVSUfQlgt8/P+lPccMOEb5h8MHgOMlrvaa6TYo+b:zX36vrMk5NcZQSt8YPfMO0h3srMk5NcY
                          TLSH:1474129A36D04937EBD582F07C3AE37FF57B4A42818559431B908D36BF322D1C94AA6C
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.*]...RF..RG.pRF.*]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...oy.V.................`.........

                          File Icon

                          Icon Hash:e0d08cf8d8ccc8e0

                          Static PE Info

                          General

                          Entrypoint:0x40310d
                          Entrypoint Section:.text
                          Digitally signed:true
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          DLL Characteristics:TERMINAL_SERVER_AWARE
                          Time Stamp:0x567F796F [Sun Dec 27 05:38:55 2015 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:29b61e5a552b3a9bc00953de1c93be41

                          Authenticode Signature

                          Signature Valid:true
                          Signature Issuer:CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
                          Signature Validation Error:The operation completed successfully
                          Error Number:0
                          Not Before, Not After
                          • 5/20/2019 6:39:50 PM 5/20/2020 5:51:43 PM
                          Subject Chain
                          • CN=Fast Corporate LTD, O=Fast Corporate LTD, L=Kfar Saba, C=IL
                          Version:3
                          Thumbprint MD5:86CAA7A78F480716D11551D0DAFDF8B3
                          Thumbprint SHA-1:28C92A8D1C570AD2219A62789E7D6388DAFD2F83
                          Thumbprint SHA-256:F890446C69A9185F3C0CBCBC1E7C54CFA9933F6974DA61AA72F6C41BFFBF1F45
                          Serial:00EAE2AED6D6A503F0

                          Entrypoint Preview

                          Instruction
                          sub esp, 00000180h
                          push ebx
                          push ebp
                          push esi
                          push edi
                          xor ebx, ebx
                          push 00008001h
                          mov dword ptr [esp+1Ch], ebx
                          mov dword ptr [esp+14h], 00409188h
                          xor esi, esi
                          mov byte ptr [esp+18h], 00000020h
                          call dword ptr [004070B4h]
                          call dword ptr [004070B0h]
                          cmp ax, 00000006h
                          je 00007F985094A9E3h
                          push ebx
                          call 00007F985094D7B9h
                          cmp eax, ebx
                          je 00007F985094A9D9h
                          push 00000C00h
                          call eax
                          push 0040917Ch
                          call 00007F985094D73Ah
                          push 00409174h
                          call 00007F985094D730h
                          push 00409168h
                          call 00007F985094D726h
                          push 0000000Dh
                          call 00007F985094D789h
                          push 0000000Bh
                          call 00007F985094D782h
                          mov dword ptr [0042EC44h], eax
                          call dword ptr [00407034h]
                          push ebx
                          call dword ptr [00407270h]
                          mov dword ptr [0042ECF8h], eax
                          push ebx
                          lea eax, dword ptr [esp+34h]
                          push 00000160h
                          push eax
                          push ebx
                          push 00429078h
                          call dword ptr [00407160h]
                          push 0040915Ch
                          push 0042E440h
                          call 00007F985094D3B9h
                          call dword ptr [004070ACh]
                          mov ebp, 00434000h
                          push eax
                          push ebp
                          call 00007F985094D3A7h
                          push ebx
                          call dword ptr [00407144h]

                          Rich Headers

                          Programming Language:
                          • [EXP] VC++ 6.0 SP5 build 8804

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x74d80xa0.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3d0000x4168.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x55b300x34c0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x5e3c0x6000False0.6686197916666666data6.432295288512854IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x70000x126a0x1400False0.43359375data5.00588726544978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x90000x25d380x600False0.474609375data4.291756049727371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .ndata0x2f0000xe0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x3d0000x41680x4200False0.6267755681818182data5.9853084055645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x3d2e00x10a8dataEnglishUnited States
                          RT_ICON0x3e3880xea8dataEnglishUnited States
                          RT_ICON0x3f2300x8a8dataEnglishUnited States
                          RT_ICON0x3fad80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x400400x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_ICON0x404a80x2e8dataEnglishUnited States
                          RT_ICON0x407900x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_DIALOG0x408b80x202dataEnglishUnited States
                          RT_DIALOG0x40ac00xf8dataEnglishUnited States
                          RT_DIALOG0x40bb80xa0dataEnglishUnited States
                          RT_DIALOG0x40c580xeedataEnglishUnited States
                          RT_GROUP_ICON0x40d480x68dataEnglishUnited States
                          RT_MANIFEST0x40db00x3b3XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                          Imports

                          DLLImport
                          KERNEL32.dllSetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, CreateDirectoryA, lstrcmpiA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, GetWindowsDirectoryA, GetTempPathA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
                          USER32.dllGetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                          ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States