Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
https://jamartech.net/Files/softwareinstalls/STARnext Install 1.3.4.0.exe

Overview

General Information

Sample URL:https://jamartech.net/Files/softwareinstalls/STARnext Install 1.3.4.0.exe
Analysis ID:1337957
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

PE file does not import any functions
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
PE file contains sections with non-standard names
Found dropped PE file which has not been started or loaded
PE file overlay found
PE file contains executable resources (Code or Archives)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64native
  • chrome.exe (PID: 8152 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 464953824E644F10FFDC9E093FD18F94)
    • chrome.exe (PID: 4880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:8 MD5: 464953824E644F10FFDC9E093FD18F94)
    • chrome.exe (PID: 8116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2880 /prefetch:8 MD5: 464953824E644F10FFDC9E093FD18F94)
    • chrome.exe (PID: 7500 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3208 /prefetch:8 MD5: 464953824E644F10FFDC9E093FD18F94)
    • chrome.exe (PID: 4804 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4520 /prefetch:8 MD5: 464953824E644F10FFDC9E093FD18F94)
    • chrome.exe (PID: 7212 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4548 /prefetch:8 MD5: 464953824E644F10FFDC9E093FD18F94)
    • STARnext Install 1.3.4.0.exe (PID: 1756 cmdline: "C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe" MD5: 31132F615BB6B9A7386F80FA64433E3E)
      • STARnext Install 1.3.4.0.tmp (PID: 4252 cmdline: "C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp" /SL5="$1B5001C,38811898,832512,C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe" MD5: 5C7D7547470BD0AD53E917EB3B41B245)
  • chrome.exe (PID: 5344 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://jamartech.net/Files/softwareinstalls/STARnext%20Install%201.3.4.0.exe MD5: 464953824E644F10FFDC9E093FD18F94)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.JAMAR Technologies Inc. Software License AgreementThis software license agreement including any warranties and special provisions is a legal agreement between you (as an entity or an individual) and JAMAR Technologies Inc. By installing or otherwise using this software you are agreeing to be bound by the terms of this agreement. If you do not agree to the terms of this agreement return the unused software along with all accompanying documentation to JAMAR Technologies Inc.The Software which accompanies this agreement is and will remain the property of JAMAR Technologies Inc. and is protected by copyright law. JAMAR Technologies Inc. is providing you with certain rights to use the Software upon your acceptance of this agreement.YOU MAY:1)Use the Software on up to as many computers as allowed per the license purchased with the following provisions:a) All computers that use this Software are located in the same building;b) All persons using the Software are employed by the individual or entity that originally purchased the Software.2)Use the software on a home computer with the following provisions:a) The individual using the Software on a home computer is employed by the individual or entity that originally purchased the Software;b) The individual is doing work for the individual or entity that originally purchased the Software.YOU MAY NOT:1)sublicense lease transfer or rent any portion of the Software;2) reverse engineer decompile disassemble modify translate make any attempts to reconstruct or find the source code for the Software.U.S. GOVERNMENT RESTRICTED RIGHTSThe Software and documentation are provided with RESTRICTED RIGHTS. Use duplication or disclosure by the United States Government is subject to the restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19 as applicable. Manufacturer is JAMAR Technologies Inc./1500 Industry Road Suite C Hatfield PA 19440.INFORMATION COLLECTEDUser information is collected and stored during registration to verify licensing. This information is stored only for license purposes and is not shared with any third parties.WARRANTYJAMAR Technologies Inc. warrants that the media on which the Software is distributed will be free from defects for a period of ninety (90) days from the date of delivery of the Software to you. Your sole remedy for a breach of this warranty will be that JAMAR Technologies Inc. will at its option replace any defective media returned to JAMAR Technologies Inc. within the warranty period or refund the purchase price of the Software.The Software is provided as is without warranty of any
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.JAMAR Technologies Inc. Software License AgreementThis software license agreement including any warranties and special provisions is a legal agreement between you (as an entity or an individual) and JAMAR Technologies Inc. By installing or otherwise using this software you are agreeing to be bound by the terms of this agreement. If you do not agree to the terms of this agreement return the unused software along with all accompanying documentation to JAMAR Technologies Inc.The Software which accompanies this agreement is and will remain the property of JAMAR Technologies Inc. and is protected by copyright law. JAMAR Technologies Inc. is providing you with certain rights to use the Software upon your acceptance of this agreement.YOU MAY:1)Use the Software on up to as many computers as allowed per the license purchased with the following provisions:a) All computers that use this Software are located in the same building;b) All persons using the Software are employed by the individual or entity that originally purchased the Software.2)Use the software on a home computer with the following provisions:a) The individual using the Software on a home computer is employed by the individual or entity that originally purchased the Software;b) The individual is doing work for the individual or entity that originally purchased the Software.YOU MAY NOT:1)sublicense lease transfer or rent any portion of the Software;2) reverse engineer decompile disassemble modify translate make any attempts to reconstruct or find the source code for the Software.U.S. GOVERNMENT RESTRICTED RIGHTSThe Software and documentation are provided with RESTRICTED RIGHTS. Use duplication or disclosure by the United States Government is subject to the restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19 as applicable. Manufacturer is JAMAR Technologies Inc./1500 Industry Road Suite C Hatfield PA 19440.INFORMATION COLLECTEDUser information is collected and stored during registration to verify licensing. This information is stored only for license purposes and is not shared with any third parties.WARRANTYJAMAR Technologies Inc. warrants that the media on which the Software is distributed will be free from defects for a period of ninety (90) days from the date of delivery of the Software to you. Your sole remedy for a breach of this warranty will be that JAMAR Technologies Inc. will at its option replace any defective media returned to JAMAR Technologies Inc. within the warranty period or refund the purchase price of the Software.The Software is provided as is without warranty of any
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.JAMAR Technologies Inc. Software License AgreementThis software license agreement including any warranties and special provisions is a legal agreement between you (as an entity or an individual) and JAMAR Technologies Inc. By installing or otherwise using this software you are agreeing to be bound by the terms of this agreement. If you do not agree to the terms of this agreement return the unused software along with all accompanying documentation to JAMAR Technologies Inc.The Software which accompanies this agreement is and will remain the property of JAMAR Technologies Inc. and is protected by copyright law. JAMAR Technologies Inc. is providing you with certain rights to use the Software upon your acceptance of this agreement.YOU MAY:1)Use the Software on up to as many computers as allowed per the license purchased with the following provisions:a) All computers that use this Software are located in the same building;b) All persons using the Software are employed by the individual or entity that originally purchased the Software.2)Use the software on a home computer with the following provisions:a) The individual using the Software on a home computer is employed by the individual or entity that originally purchased the Software;b) The individual is doing work for the individual or entity that originally purchased the Software.YOU MAY NOT:1)sublicense lease transfer or rent any portion of the Software;2) reverse engineer decompile disassemble modify translate make any attempts to reconstruct or find the source code for the Software.U.S. GOVERNMENT RESTRICTED RIGHTSThe Software and documentation are provided with RESTRICTED RIGHTS. Use duplication or disclosure by the United States Government is subject to the restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19 as applicable. Manufacturer is JAMAR Technologies Inc./1500 Industry Road Suite C Hatfield PA 19440.INFORMATION COLLECTEDUser information is collected and stored during registration to verify licensing. This information is stored only for license purposes and is not shared with any third parties.WARRANTYJAMAR Technologies Inc. warrants that the media on which the Software is distributed will be free from defects for a period of ninety (90) days from the date of delivery of the Software to you. Your sole remedy for a breach of this warranty will be that JAMAR Technologies Inc. will at its option replace any defective media returned to JAMAR Technologies Inc. within the warranty period or refund the purchase price of the Software.The Software is provided as is without warranty of any
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-11-06 #001.txtJump to behavior
Source: unknownHTTPS traffic detected: 35.186.224.25:443 -> 192.168.11.20:50112 version: TLS 1.2
Source: unknownNetwork traffic detected: HTTP traffic on port 63240 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53714
Source: unknownNetwork traffic detected: HTTP traffic on port 53891 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63240
Source: unknownNetwork traffic detected: HTTP traffic on port 50112 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50112
Source: unknownNetwork traffic detected: HTTP traffic on port 64599 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58236
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53891
Source: unknownNetwork traffic detected: HTTP traffic on port 58236 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52560
Source: unknownNetwork traffic detected: HTTP traffic on port 53714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52560 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63243
Source: unknownNetwork traffic detected: HTTP traffic on port 60568 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 63243 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64599
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60568
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.25
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.25
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.25
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.25
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.25
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.25
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.25
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.25
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.25
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknownUDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknownUDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45373739153.0000000002730000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000003.45381125722.0000000003670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.jamartech.com/2http://www.jamartech.com/2http://www.jamartech.com/
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000002.45603471315.00000000024B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.jamartech.com/pfK
Source: STARnext Install 1.3.4.0.tmp, 0000000F.00000002.45604288347.00000000026F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.jamartech.com/pfo
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000002.45603471315.000000000245C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.org
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000002.45603471315.000000000245C000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45373739153.0000000002730000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000003.45381125722.0000000003670000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000002.45604288347.0000000002653000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.orgAbout
Source: STARnext Install 1.3.4.0.tmp, 0000000F.00000002.45604288347.000000000264B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.orgP
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000000.45373073937.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Unconfirmed 530055.crdownload.0.drString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002730000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000000.45378535082.0000000000401000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: https://www.innosetup.com/
Source: STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002730000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000000.45378535082.0000000000401000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: https://www.remobjects.com/ps
Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979; AEC=Ad49MVFf9Dv7B6egeOgj1KRs9zEJFl7xTeHKFuDQ4w-0aMcEh1ZbUV4GCw; NID=511=Fb9m6orBsCk8g8okbxd0bNA5e4gEdvsO4EJi3xyY6m7-87MqmFZCjWOfTMjEV-QOLAUoCOhPhFMtvtTgGBvdcCeiVLC5sWNyO_yH0057J1bn8o-spwJb2f-JESUqLUGpJTjHkEs42-DVHUt3379gqE-vONgrrWk5I_jFZltuOMiAhKI4gkjoN1x_
Source: unknownDNS traffic detected: queries for: accounts.google.com
Source: global trafficHTTP traffic detected: GET /v1/live-tile-xml?region=GB&language=en-US HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WNS/10.0Host: spclient.wg.spotify.com
Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=94.0.4606.61&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-94.0.4606.61Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /Files/softwareinstalls/STARnext%20Install%201.3.4.0.exe HTTP/1.1Host: jamartech.netConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficTCP traffic: 192.168.11.20:52743 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:52743 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:52743 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:52743 -> 239.255.255.250:1900
Source: unknownHTTPS traffic detected: 35.186.224.25:443 -> 192.168.11.20:50112 version: TLS 1.2
Source: bf411dd2-7f9b-4e89-8ebe-29a90ebf5fdb.tmp.0.drStatic PE information: No import functions for PE file found
Source: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exeSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpSection loaded: edgegdi.dll
Source: bf411dd2-7f9b-4e89-8ebe-29a90ebf5fdb.tmp.0.drStatic PE information: Data appended to the last section found
Source: STARnext Install 1.3.4.0.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:8
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://jamartech.net/Files/softwareinstalls/STARnext%20Install%201.3.4.0.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2880 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3208 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4520 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4548 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe "C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe"
Source: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp" /SL5="$1B5001C,38811898,832512,C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2880 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3208 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4520 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4548 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe "C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp" /SL5="$1B5001C,38811898,832512,C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\bf411dd2-7f9b-4e89-8ebe-29a90ebf5fdb.tmpJump to behavior
Source: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmpJump to behavior
Source: classification engineClassification label: clean4.win@37/6@6/6
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Program Files\Google\Chrome\Application\chrome.exeAutomated click: Install
Source: C:\Program Files\Google\Chrome\Application\chrome.exeAutomated click: Install
Source: C:\Program Files\Google\Chrome\Application\chrome.exeAutomated click: Install
Source: C:\Program Files\Google\Chrome\Application\chrome.exeAutomated click: Install
Source: C:\Program Files\Google\Chrome\Application\chrome.exeAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpAutomated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpAutomated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpAutomated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpWindow found: window name: TMainForm
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.JAMAR Technologies Inc. Software License AgreementThis software license agreement including any warranties and special provisions is a legal agreement between you (as an entity or an individual) and JAMAR Technologies Inc. By installing or otherwise using this software you are agreeing to be bound by the terms of this agreement. If you do not agree to the terms of this agreement return the unused software along with all accompanying documentation to JAMAR Technologies Inc.The Software which accompanies this agreement is and will remain the property of JAMAR Technologies Inc. and is protected by copyright law. JAMAR Technologies Inc. is providing you with certain rights to use the Software upon your acceptance of this agreement.YOU MAY:1)Use the Software on up to as many computers as allowed per the license purchased with the following provisions:a) All computers that use this Software are located in the same building;b) All persons using the Software are employed by the individual or entity that originally purchased the Software.2)Use the software on a home computer with the following provisions:a) The individual using the Software on a home computer is employed by the individual or entity that originally purchased the Software;b) The individual is doing work for the individual or entity that originally purchased the Software.YOU MAY NOT:1)sublicense lease transfer or rent any portion of the Software;2) reverse engineer decompile disassemble modify translate make any attempts to reconstruct or find the source code for the Software.U.S. GOVERNMENT RESTRICTED RIGHTSThe Software and documentation are provided with RESTRICTED RIGHTS. Use duplication or disclosure by the United States Government is subject to the restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19 as applicable. Manufacturer is JAMAR Technologies Inc./1500 Industry Road Suite C Hatfield PA 19440.INFORMATION COLLECTEDUser information is collected and stored during registration to verify licensing. This information is stored only for license purposes and is not shared with any third parties.WARRANTYJAMAR Technologies Inc. warrants that the media on which the Software is distributed will be free from defects for a period of ninety (90) days from the date of delivery of the Software to you. Your sole remedy for a breach of this warranty will be that JAMAR Technologies Inc. will at its option replace any defective media returned to JAMAR Technologies Inc. within the warranty period or refund the purchase price of the Software.The Software is provided as is without warranty of any
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.JAMAR Technologies Inc. Software License AgreementThis software license agreement including any warranties and special provisions is a legal agreement between you (as an entity or an individual) and JAMAR Technologies Inc. By installing or otherwise using this software you are agreeing to be bound by the terms of this agreement. If you do not agree to the terms of this agreement return the unused software along with all accompanying documentation to JAMAR Technologies Inc.The Software which accompanies this agreement is and will remain the property of JAMAR Technologies Inc. and is protected by copyright law. JAMAR Technologies Inc. is providing you with certain rights to use the Software upon your acceptance of this agreement.YOU MAY:1)Use the Software on up to as many computers as allowed per the license purchased with the following provisions:a) All computers that use this Software are located in the same building;b) All persons using the Software are employed by the individual or entity that originally purchased the Software.2)Use the software on a home computer with the following provisions:a) The individual using the Software on a home computer is employed by the individual or entity that originally purchased the Software;b) The individual is doing work for the individual or entity that originally purchased the Software.YOU MAY NOT:1)sublicense lease transfer or rent any portion of the Software;2) reverse engineer decompile disassemble modify translate make any attempts to reconstruct or find the source code for the Software.U.S. GOVERNMENT RESTRICTED RIGHTSThe Software and documentation are provided with RESTRICTED RIGHTS. Use duplication or disclosure by the United States Government is subject to the restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19 as applicable. Manufacturer is JAMAR Technologies Inc./1500 Industry Road Suite C Hatfield PA 19440.INFORMATION COLLECTEDUser information is collected and stored during registration to verify licensing. This information is stored only for license purposes and is not shared with any third parties.WARRANTYJAMAR Technologies Inc. warrants that the media on which the Software is distributed will be free from defects for a period of ninety (90) days from the date of delivery of the Software to you. Your sole remedy for a breach of this warranty will be that JAMAR Technologies Inc. will at its option replace any defective media returned to JAMAR Technologies Inc. within the warranty period or refund the purchase price of the Software.The Software is provided as is without warranty of any
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.JAMAR Technologies Inc. Software License AgreementThis software license agreement including any warranties and special provisions is a legal agreement between you (as an entity or an individual) and JAMAR Technologies Inc. By installing or otherwise using this software you are agreeing to be bound by the terms of this agreement. If you do not agree to the terms of this agreement return the unused software along with all accompanying documentation to JAMAR Technologies Inc.The Software which accompanies this agreement is and will remain the property of JAMAR Technologies Inc. and is protected by copyright law. JAMAR Technologies Inc. is providing you with certain rights to use the Software upon your acceptance of this agreement.YOU MAY:1)Use the Software on up to as many computers as allowed per the license purchased with the following provisions:a) All computers that use this Software are located in the same building;b) All persons using the Software are employed by the individual or entity that originally purchased the Software.2)Use the software on a home computer with the following provisions:a) The individual using the Software on a home computer is employed by the individual or entity that originally purchased the Software;b) The individual is doing work for the individual or entity that originally purchased the Software.YOU MAY NOT:1)sublicense lease transfer or rent any portion of the Software;2) reverse engineer decompile disassemble modify translate make any attempts to reconstruct or find the source code for the Software.U.S. GOVERNMENT RESTRICTED RIGHTSThe Software and documentation are provided with RESTRICTED RIGHTS. Use duplication or disclosure by the United States Government is subject to the restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19 as applicable. Manufacturer is JAMAR Technologies Inc./1500 Industry Road Suite C Hatfield PA 19440.INFORMATION COLLECTEDUser information is collected and stored during registration to verify licensing. This information is stored only for license purposes and is not shared with any third parties.WARRANTYJAMAR Technologies Inc. warrants that the media on which the Software is distributed will be free from defects for a period of ninety (90) days from the date of delivery of the Software to you. Your sole remedy for a breach of this warranty will be that JAMAR Technologies Inc. will at its option replace any defective media returned to JAMAR Technologies Inc. within the warranty period or refund the purchase price of the Software.The Software is provided as is without warranty of any
Source: bf411dd2-7f9b-4e89-8ebe-29a90ebf5fdb.tmp.0.drStatic PE information: real checksum: 0x25e1ba7 should be: 0x15550
Source: bf411dd2-7f9b-4e89-8ebe-29a90ebf5fdb.tmp.0.drStatic PE information: section name: .didata
Source: Unconfirmed 530055.crdownload.0.drStatic PE information: section name: .didata
Source: STARnext Install 1.3.4.0.tmp.14.drStatic PE information: section name: .didata
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\bf411dd2-7f9b-4e89-8ebe-29a90ebf5fdb.tmpJump to dropped file
Source: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2COJS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\Unconfirmed 530055.crdownloadJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-11-06 #001.txtJump to behavior
Source: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2COJS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: Unconfirmed 530055.crdownload.0.drBinary or memory string: HGFsGI
Source: Unconfirmed 530055.crdownload.0.drBinary or memory string: qEMUP

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Network Service Scanning		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager2
System Owner/User Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration4
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer1
Ingress Tool Transfer		SIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1337957 URL: https://jamartech.net/Files... Startdate: 06/11/2023 Architecture: WINDOWS Score: 4 42 www.google.com 2->42 44 jamartech.net 2->44 46 3 other IPs or domains 2->46 7 chrome.exe 12 2->7         started        11 chrome.exe 2->11         started        process3 dnsIp4 48 192.168.11.20 unknown unknown 7->48 50 239.255.255.250 unknown Reserved 7->50 28 bf411dd2-7f9b-4e89-8ebe-29a90ebf5fdb.tmp, PE32 7->28 dropped 30 C:\Users\...\Unconfirmed 530055.crdownload, PE32 7->30 dropped 32 (copy), PE32 7->32 dropped 13 STARnext Install 1.3.4.0.exe 2 7->13         started        16 chrome.exe 7->16         started        19 chrome.exe 7->19         started        21 3 other processes 7->21 file5 process6 dnsIp7 34 C:\Users\...\STARnext Install 1.3.4.0.tmp, PE32 13->34 dropped 23 STARnext Install 1.3.4.0.tmp 3 13 13->23         started        36 www.google.com 142.250.217.228 GOOGLEUS United States 16->36 38 accounts.google.com 142.251.35.237 GOOGLEUS United States 16->38 40 2 other IPs or domains 16->40 file8 process9 file10 26 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 23->26 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://jamartech.net/Files/softwareinstalls/STARnext%20Install%201.3.4.0.exe0%Avira URL Cloudsafe

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-2COJS.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp0%ReversingLabs
C:\Users\user\Downloads\Unconfirmed 530055.crdownload0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.kymoto.orgAbout0%Avira URL Cloudsafe
http://www.jamartech.com/pfo0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%Avira URL Cloudsafe
https://www.remobjects.com/ps0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%Avira URL Cloudsafe
https://sectigo.com/CPS00%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%Avira URL Cloudsafe
http://www.jamartech.com/2http://www.jamartech.com/2http://www.jamartech.com/0%Avira URL Cloudsafe
https://www.innosetup.com/0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%Avira URL Cloudsafe
http://www.jamartech.com/pfK0%Avira URL Cloudsafe
http://www.kymoto.orgP0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
accounts.google.com
142.251.35.237
truefalse
    		high
    jamartech.net
    		107.180.28.214
    		truefalse
      		unknown
      www.google.com
      		142.250.217.228
      		truefalse
        		high
        clients.l.google.com
        		192.178.50.78
        		truefalse
          		high
          clients2.google.com
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://spclient.wg.spotify.com/v1/live-tile-xml?region=GB&language=en-USfalse
              		high
              https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardfalse
                		high
                https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=94.0.4606.61&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1false
                  		high
                  https://jamartech.net/Files/softwareinstalls/STARnext%20Install%201.3.4.0.exefalse
                    		unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tSTARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jamartech.com/2http://www.jamartech.com/2http://www.jamartech.com/STARnext Install 1.3.4.0.exe, 0000000E.00000003.45373739153.0000000002730000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000003.45381125722.0000000003670000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUSTARnext Install 1.3.4.0.exe, 0000000E.00000000.45373073937.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Unconfirmed 530055.crdownload.0.drfalse
                      		high
                      https://sectigo.com/CPS0STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ySTARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ocsp.sectigo.com0STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.remobjects.com/psSTARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002730000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000000.45378535082.0000000000401000.00000020.00000001.01000000.00000007.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.kymoto.orgAboutSTARnext Install 1.3.4.0.exe, 0000000E.00000002.45603471315.000000000245C000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45373739153.0000000002730000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000003.45381125722.0000000003670000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000002.45604288347.0000000002653000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jamartech.com/pfoSTARnext Install 1.3.4.0.tmp, 0000000F.00000002.45604288347.00000000026F6000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.innosetup.com/STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002730000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.tmp, 0000000F.00000000.45378535082.0000000000401000.00000020.00000001.01000000.00000007.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#STARnext Install 1.3.4.0.exe, 0000000E.00000003.45375292347.000000007FE34000.00000004.00001000.00020000.00000000.sdmp, STARnext Install 1.3.4.0.exe, 0000000E.00000003.45374543129.0000000002828000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.kymoto.orgSTARnext Install 1.3.4.0.exe, 0000000E.00000002.45603471315.000000000245C000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://www.jamartech.com/pfKSTARnext Install 1.3.4.0.exe, 0000000E.00000002.45603471315.00000000024B6000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.kymoto.orgPSTARnext Install 1.3.4.0.tmp, 0000000F.00000002.45604288347.000000000264B000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        192.178.50.78
                        		clients.l.google.comUnited States
                        		15169GOOGLEUSfalse
                        239.255.255.250
                        		unknownReserved
                        		unknownunknownfalse
                        142.251.35.237
                        		accounts.google.comUnited States
                        		15169GOOGLEUSfalse
                        142.250.217.228
                        		www.google.comUnited States
                        		15169GOOGLEUSfalse
                        107.180.28.214
                        		jamartech.netUnited States
                        		26496AS-26496-GO-DADDY-COM-LLCUSfalse

                        Private

                        IP
                        192.168.11.20

                        General Information

                        Joe Sandbox Version:38.0.0 Ammolite
                        Analysis ID:1337957
                        Start date and time:2023-11-06 23:32:00 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 6m 5s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Cookbook file name:browseurl.jbs
                        Sample URL:https://jamartech.net/Files/softwareinstalls/STARnext Install 1.3.4.0.exe
                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                        Run name:Potential for more IOCs and behavior
                        Number of analysed new started processes analysed:16
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:CLEAN
                        Classification:clean4.win@37/6@6/6
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, CompPkgSrv.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 142.250.64.163, 34.104.35.123, 142.250.64.227, 142.250.217.195, 192.178.50.67
                        • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, edgedl.me.gvt1.com, update.googleapis.com, clientservices.googleapis.com, www.gstatic.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing network information.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • VT rate limit hit for: https://jamartech.net/Files/softwareinstalls/STARnext%20Install%201.3.4.0.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        (copy)

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):47879
                        Entropy (8bit):6.56095316795
                        Encrypted:false
                        SSDEEP:768:IWLNPgbS5ylNoVB35Ss8cUjil4y2TDk2JSsseZo:pZPqS0aBEOOilRt2JSoZo
                        MD5:4FBE7E0670DB0EC9A7E8C2C01DDD787F
                        SHA1:EF19CBD4EB5449894C860F60562591D1BAD4E0E7
                        SHA-256:3BC0572466B820AF86023DF7AF2509A1DA1F16E21A439F267D839F6A4601D951
                        SHA-512:9573FAF8E5B4C4220CC6AF4B4D7E40CED0BB4BDFF70A80A707131F160160994E3DEED72B31AB571D198E8554F1606E3460D3BE02A7D1758DD1C51DF8C8F85B9C
                        Malicious:false
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...^.......^.......p....@...................................^...@......@...................@....... .......p...............d]..(...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

                        C:\Users\user\AppData\Local\Temp\Setup Log 2023-11-06 #001.txt

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp
                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):890
                        Entropy (8bit):5.264742859333302
                        Encrypted:false
                        SSDEEP:12:KSeTRmXjRm9XfaJf9RH1l11OBnQHO1wQ8MHkMrNFyi6iF/jIFAdLMuJSs:KZRmXM1GRHB1OBQ8z8WkM+eX9vJSs
                        MD5:C2FA945B05550B133331AB320484350B
                        SHA1:82E8211A8787A80007BAD6A659F7D67C30AB4EED
                        SHA-256:1D8F434F74CFCE38B588E8813040485AD3C955C3BDC57EB5AE9C7B1CE8564F89
                        SHA-512:E51C553A2231177F155501BB81EF5126AEDF6DC408C0A85264259BEB19B1ABDDE45A271532E3AF7EA3043ADAED5470B3E864CAEE4A5D6468668EC1F7E7D6AB92
                        Malicious:false
                        Reputation:low
                        Preview:.2023-11-06 23:35:05.247 Log opened. (Time zone: UTC+01:00)..2023-11-06 23:35:05.247 Setup version: Inno Setup version 6.2.1..2023-11-06 23:35:05.247 Original Setup EXE: C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe..2023-11-06 23:35:05.247 Setup command line: /SL5="$1B5001C,38811898,832512,C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe" ..2023-11-06 23:35:05.247 Windows version: 10.0.19042 (NT platform: Yes)..2023-11-06 23:35:05.247 64-bit Windows: Yes..2023-11-06 23:35:05.247 Processor architecture: x64..2023-11-06 23:35:05.247 User privileges: Administrative..2023-11-06 23:35:05.311 Administrative install mode: Yes..2023-11-06 23:35:05.311 Install mode root key: HKEY_LOCAL_MACHINE..2023-11-06 23:35:05.311 64-bit install mode: Yes..2023-11-06 23:35:05.342 Created temporary directory: C:\Users\user\AppData\Local\Temp\is-2COJS.tmp..

                        C:\Users\user\AppData\Local\Temp\is-2COJS.tmp\_isetup\_setup64.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp
                        File Type:PE32+ executable (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):6144
                        Entropy (8bit):4.720366600008286
                        Encrypted:false
                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp

                        Download File
                        Process:C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3206880
                        Entropy (8bit):6.3254462564672425
                        Encrypted:false
                        SSDEEP:49152:jdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjT333TY5:oHDYsqiPRhINnq95FoHVBT333Tm
                        MD5:5C7D7547470BD0AD53E917EB3B41B245
                        SHA1:5AAEC7CDAA7A59FA2F0D53B2A2AEFA35FDA81A68
                        SHA-256:7281889028226BA214B8DC7B01277B602C6F330885DDFC4863E82A9D1C9232C9
                        SHA-512:88EFA34990B0F685F63D342EF5E1E048F25BEC3D7375C0EEC74526730580AD86A3E77CA29278DCD38B8202B3536FE7D4C7C34B312680214A91CD202AAA54FC64
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Reputation:low
                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................1.....C.1...@......@....................-.......-..9....................0..(....................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

                        C:\Users\user\Downloads\Unconfirmed 530055.crdownload

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):39685584
                        Entropy (8bit):7.99664420393238
                        Encrypted:true
                        SSDEEP:786432:TxpTdIlo6r1YtNZasn/JKWM3tO/ZzYArGgvnGXH9mIMaubBVF24UPzd:FD+MNRUckA6KG39DubR4zd
                        MD5:31132F615BB6B9A7386F80FA64433E3E
                        SHA1:BA23ACC1E4F6FC85D48EEC42D5C5BA6B71F26D44
                        SHA-256:106D0AACE6C65802C1E884202F6A01A8950AE58E33F7F2B636DCCD52769DA7A6
                        SHA-512:E81FBE569814555934C15CD6FF1A842C5A1C86D746A13B9DCD64B7550FE97807F86FD2B9C8640F2021709924C56D436C21F41FCE18FF447E212645E86CA3845D
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...^.......^.......p....@...................................^...@......@...................@....... .......p...............d]..(...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

                        C:\Users\user\Downloads\bf411dd2-7f9b-4e89-8ebe-29a90ebf5fdb.tmp

                        Download File
                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):47879
                        Entropy (8bit):6.56095316795
                        Encrypted:false
                        SSDEEP:768:IWLNPgbS5ylNoVB35Ss8cUjil4y2TDk2JSsseZo:pZPqS0aBEOOilRt2JSoZo
                        MD5:4FBE7E0670DB0EC9A7E8C2C01DDD787F
                        SHA1:EF19CBD4EB5449894C860F60562591D1BAD4E0E7
                        SHA-256:3BC0572466B820AF86023DF7AF2509A1DA1F16E21A439F267D839F6A4601D951
                        SHA-512:9573FAF8E5B4C4220CC6AF4B4D7E40CED0BB4BDFF70A80A707131F160160994E3DEED72B31AB571D198E8554F1606E3460D3BE02A7D1758DD1C51DF8C8F85B9C
                        Malicious:false
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...^.......^.......p....@...................................^...@......@...................@....... .......p...............d]..(...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

                        Static File Info

                        No static file info

                        Network Behavior

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Nov 6, 2023 23:34:03.767800093 CET192.168.11.201.1.1.10xe406Standard query (0)accounts.google.comA (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:03.773195028 CET192.168.11.201.1.1.10xa363Standard query (0)clients2.google.comA (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:05.815613031 CET192.168.11.201.1.1.10x37a8Standard query (0)jamartech.netA (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:08.522540092 CET192.168.11.201.1.1.10x66e1Standard query (0)www.google.comA (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:30.531738043 CET192.168.11.201.1.1.10x2565Standard query (0)www.google.comA (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:46.459132910 CET192.168.11.201.1.1.10x5ab7Standard query (0)www.google.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 6, 2023 23:34:03.897591114 CET1.1.1.1192.168.11.200xe406No error (0)accounts.google.com142.251.35.237A (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:03.904014111 CET1.1.1.1192.168.11.200xa363No error (0)clients2.google.comclients.l.google.comCNAME (Canonical name)IN (0x0001)false
                        Nov 6, 2023 23:34:03.904014111 CET1.1.1.1192.168.11.200xa363No error (0)clients.l.google.com192.178.50.78A (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:05.955147982 CET1.1.1.1192.168.11.200x37a8No error (0)jamartech.net107.180.28.214A (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:08.651928902 CET1.1.1.1192.168.11.200x66e1No error (0)www.google.com142.250.217.228A (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:30.662008047 CET1.1.1.1192.168.11.200x2565No error (0)www.google.com142.250.64.228A (IP address)IN (0x0001)false
                        Nov 6, 2023 23:34:46.589380980 CET1.1.1.1192.168.11.200x5ab7No error (0)www.google.com142.250.64.228A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • spclient.wg.spotify.com
                        • accounts.google.com
                        • clients2.google.com
                        • jamartech.net

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:23:34:01
                        Start date:06/11/2023
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
                        Imagebase:0x7ff728350000
                        File size:2'509'656 bytes
                        MD5 hash:464953824E644F10FFDC9E093FD18F94
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:4
                        Start time:23:34:02
                        Start date:06/11/2023
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:8
                        Imagebase:0x7ff728350000
                        File size:2'509'656 bytes
                        MD5 hash:464953824E644F10FFDC9E093FD18F94
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:6
                        Start time:23:34:05
                        Start date:06/11/2023
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Program Files\Google\Chrome\Application\chrome.exe" "https://jamartech.net/Files/softwareinstalls/STARnext%20Install%201.3.4.0.exe
                        Imagebase:0x7ff728350000
                        File size:2'509'656 bytes
                        MD5 hash:464953824E644F10FFDC9E093FD18F94
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:7
                        Start time:23:34:06
                        Start date:06/11/2023
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2880 /prefetch:8
                        Imagebase:0x7ff728350000
                        File size:2'509'656 bytes
                        MD5 hash:464953824E644F10FFDC9E093FD18F94
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:8
                        Start time:23:34:06
                        Start date:06/11/2023
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3208 /prefetch:8
                        Imagebase:0x7ff728350000
                        File size:2'509'656 bytes
                        MD5 hash:464953824E644F10FFDC9E093FD18F94
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:11
                        Start time:23:34:54
                        Start date:06/11/2023
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4520 /prefetch:8
                        Imagebase:0x7ff728350000
                        File size:2'509'656 bytes
                        MD5 hash:464953824E644F10FFDC9E093FD18F94
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:12
                        Start time:23:34:54
                        Start date:06/11/2023
                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,12610902750640063951,9451328977112228190,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4548 /prefetch:8
                        Imagebase:0x7ff728350000
                        File size:2'509'656 bytes
                        MD5 hash:464953824E644F10FFDC9E093FD18F94
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:14
                        Start time:23:35:04
                        Start date:06/11/2023
                        Path:C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe"
                        Imagebase:0x400000
                        File size:39'685'584 bytes
                        MD5 hash:31132F615BB6B9A7386F80FA64433E3E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Reputation:low
                        Has exited:false

                        File Activities


                        General

                        Target ID:15
                        Start time:23:35:04
                        Start date:06/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\is-PJK1A.tmp\STARnext Install 1.3.4.0.tmp" /SL5="$1B5001C,38811898,832512,C:\Users\user\Downloads\STARnext Install 1.3.4.0.exe"
                        Imagebase:0x400000
                        File size:3'206'880 bytes
                        MD5 hash:5C7D7547470BD0AD53E917EB3B41B245
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:low
                        Has exited:false
                        Show Windows behavior

                        File Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Disassembly

                        No disassembly