Malware analysis Aviator-Predictor-FULL-main (1).zip Malicious activity

Add for printing

File name:	Aviator-Predictor-FULL-main (1).zip
Full analysis:	https://app.any.run/tasks/5a43a5a9-bfec-4cb3-b2b4-48b2d7f1e176
Verdict:	Malicious activity
Analysis date:	September 02, 2024, 07:32:55
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	2AD477B9C4FE0AC1F42E8D3FDBB5568A
SHA1:	6DEAEEF8409DCCD218EAA4C69CB1B52E104F7D84
SHA256:	05C3F1186CE7E2E82F2D6CE4770FFDC1D170CDABC1298595D8A6EA26BC230829
SSDEEP:	49152:ZJR8Em3mNAIhOR+wwehGP/bzLFfolk/Ml753S7BOuW6R5TR54tPa9m8ES0A5K4/v:zR8TmNAIhORhdM/LFfEk/Ml13A1PTRSo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Aviator-Hack.exe (PID: 6748)
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
- Executable content was dropped or overwritten
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 940)
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
- Starts a Microsoft application from unusual location
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
- Starts itself from another location
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
- Reads the date of Windows installation
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
- Drops the executable file immediately after the start
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 940)
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
  - msiexec.exe (PID: 3028)
- Process drops legitimate windows executable
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 940)
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
  - WinRAR.exe (PID: 6168)
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
  - msiexec.exe (PID: 3028)
- Searches for installed software
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 3028)
- Creates a software uninstall entry
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 3028)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 3028)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 3028)
INFO
- The process uses the downloaded file
  - WinRAR.exe (PID: 6168)
  - msedge.exe (PID: 7772)
  - msedge.exe (PID: 6308)
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
- Reads the computer name
  - identity_helper.exe (PID: 7472)
  - Aviator-Hack.exe (PID: 6748)
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
  - msiexec.exe (PID: 5692)
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
  - msiexec.exe (PID: 6948)
  - msiexec.exe (PID: 2360)
  - msiexec.exe (PID: 2132)
  - Aviator-Hack.exe (PID: 5712)
  - msiexec.exe (PID: 3028)
- Reads the software policy settings
  - slui.exe (PID: 7904)
  - msiexec.exe (PID: 3028)
  - slui.exe (PID: 6324)
- Create files in a temporary directory
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 940)
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6168)
  - msedge.exe (PID: 6308)
  - msiexec.exe (PID: 3028)
- Reads Microsoft Office registry keys
  - Aviator-Hack.exe (PID: 6748)
  - msedge.exe (PID: 6308)
- Manual execution by a user
  - Aviator-Hack.exe (PID: 6748)
  - Aviator-Hack.exe (PID: 5712)
- Checks supported languages
  - identity_helper.exe (PID: 7472)
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 940)
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)
  - Aviator-Hack.exe (PID: 6748)
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
  - msiexec.exe (PID: 3028)
  - msiexec.exe (PID: 5692)
  - msiexec.exe (PID: 2360)
  - msiexec.exe (PID: 6948)
  - msiexec.exe (PID: 2132)
  - Aviator-Hack.exe (PID: 5712)
- Application launched itself
  - msedge.exe (PID: 6308)
- Reads Environment values
  - identity_helper.exe (PID: 7472)
- Creates files in the program directory
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
  - Aviator-Hack.exe (PID: 5712)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 3028)
  - windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7568)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3028)
- Checks proxy server information
  - slui.exe (PID: 6324)
- Process checks computer location settings
  - windowsdesktop-runtime-6.0.33-win-x64 (1).exe (PID: 3040)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:09:02 00:17:16
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Aviator-Predictor-FULL-main/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

204

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
252	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=6992 --field-trial-handle=2360,i,9969674977196351859,17619899063040639157,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
940	"C:\Users\admin\Downloads\windowsdesktop-runtime-6.0.33-win-x64 (1).exe"	C:\Users\admin\Downloads\windowsdesktop-runtime-6.0.33-win-x64 (1).exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Desktop Runtime - 6.0.33 (x64) Exit code: 0 Version: 6.0.33.33916
1076	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5956 --field-trial-handle=2360,i,9969674977196351859,17619899063040639157,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
1224	C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding	C:\Windows\System32\rundll32.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
1332	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7480 --field-trial-handle=2360,i,9969674977196351859,17619899063040639157,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
1436	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5396 --field-trial-handle=2360,i,9969674977196351859,17619899063040639157,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
1780	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5544 --field-trial-handle=2360,i,9969674977196351859,17619899063040639157,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
2132	C:\Windows\syswow64\MsiExec.exe -Embedding 4B9C4D80675A2267DF934D279757A9A4	C:\Windows\SysWOW64\msiexec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800)
2228	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6628 --field-trial-handle=2360,i,9969674977196351859,17619899063040639157,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
2360	C:\Windows\syswow64\MsiExec.exe -Embedding 4AA06F8EB8BC5461C37D946333A5D0C4	C:\Windows\SysWOW64\msiexec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800)

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

539

Suspicious files

319

Text files

178

Unknown types

Dropped files

PID	Process	Filename		Type
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\Aviator Predictor\FrmAviator.cs		text
		MD5:1C0879D0CBD8AA840A8E590FB0956FAB	SHA256:6E0BC22047D3462D7A85EB5C99A0BCA062E8FC6BC6303488DC763D3BB9D3915A
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\Aviator Predictor\Form1.Designer.cs		text
		MD5:BC522051EF448DECB383305FCF54618F	SHA256:C88B8225B2A844EDFFDD43B865595083D75328C9CC138CC4EC7117D6026D5E1C
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\Aviator Predictor\Aviator-Hack.csproj		text
		MD5:42E08333134F982593551871AC2652A8	SHA256:E497734956DABE16CFF2BD390FE65EDE41B0ECE8515D2E287E597CD924FD894E
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\Aviator Predictor\FrmContactus.Designer.cs		text
		MD5:B546BE0F1019385C306EA3CFEA9F772D	SHA256:736CCA72B3139893D5C5E6A2D6299AF5E7B844C097BECE1E846004A7A325F975
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\.github\workflows\dotnet-desktop.yml		text
		MD5:45C6825C038E0DFFC31A4B57014194EA	SHA256:B8F033A2CB0A2D5BB03F8BFD85A5504ABF2D5CC0F6CA090867B72FCECB93DE95
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\.gitignore		text
		MD5:7603A8B5FBCB989107B494DFFF70AE97	SHA256:F0CCB88E17018CAD6016FACA27FEE574CC327C9975FA30CC0EECA1C62DE008D2
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\Aviator Predictor\Form2.cs		text
		MD5:60D76D02665C588AB672212D2912B4E3	SHA256:B21BF0E90D1DA6861D96CF9FD79EEEEE21BDE54E81BF95FB2124D542A25D8E41
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\Aviator Predictor\FrmAviator.Designer.cs		text
		MD5:B116AAD6F01F65895DBE3099C71A9B9C	SHA256:159E66F22C56F1F4F5DBDD11A42CC98F4438D1800354D83B873D8D991FCA6D93
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\.github\FUNDING.yml		text
		MD5:CDCF4932A00EC9CDC5594370B1C01CC6	SHA256:5D2C7E9D077858F4E12AB03B26C9C00EE883655700E50AE4D8DB88E9A9F05938
6168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6168.19947\Aviator-Predictor-FULL-main\Aviator Predictor\Program.cs		text
		MD5:ABD03D9E42AD8C07E1FAF2D396A2226F	SHA256:17F6480434FFBAD8F13448B34A0FAFA5FC97F418649FA15D7E6C2E74419F3518

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7184	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7952	svchost.exe	GET	206	23.48.23.41:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b6504465-5cb2-460e-b2f1-b5b13d55ce37?P1=1725691479&P2=404&P3=2&P4=R%2f9MVgjc2dNL0XuTcL3crAfulhtOzuJZm4cPM3R88X5hVBH%2fAut6FY4JjOpH6Y%2bngh8B%2b2TkOx2SwxDBRbV7%2bA%3d%3d	unknown	—	—	whitelisted
7952	svchost.exe	HEAD	200	23.48.23.41:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b6504465-5cb2-460e-b2f1-b5b13d55ce37?P1=1725691479&P2=404&P3=2&P4=R%2f9MVgjc2dNL0XuTcL3crAfulhtOzuJZm4cPM3R88X5hVBH%2fAut6FY4JjOpH6Y%2bngh8B%2b2TkOx2SwxDBRbV7%2bA%3d%3d	unknown	—	—	whitelisted
1944	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6308	msedge.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted
7184	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7952	svchost.exe	GET	206	23.48.23.41:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b6504465-5cb2-460e-b2f1-b5b13d55ce37?P1=1725691479&P2=404&P3=2&P4=R%2f9MVgjc2dNL0XuTcL3crAfulhtOzuJZm4cPM3R88X5hVBH%2fAut6FY4JjOpH6Y%2bngh8B%2b2TkOx2SwxDBRbV7%2bA%3d%3d	unknown	—	—	whitelisted
7952	svchost.exe	GET	206	23.48.23.41:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9e987a3f-7b8b-495b-a173-197137c9bbfc?P1=1725571405&P2=404&P3=2&P4=kiC%2b7fXcrKSEO%2f6NVMSV4zXYlhsBv7BUgc4vQiNYa3Mw6e38MXcBCowkS6und3oLFJqXp29%2f8P%2fIbnWDVqtNXw%3d%3d	unknown	—	—	whitelisted
7952	svchost.exe	HEAD	200	23.48.23.41:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a8f7bbde-6f97-4c85-954e-cada2f86bf6f?P1=1725781533&P2=404&P3=2&P4=WHvquftSGImf7dre9o5efT%2fssFjvf0kboR%2bkSxCD4zBA6M2Z%2bbJtybU%2bMs5cX76FeQSybVq7HMUCuXIagbLFvA%3d%3d	unknown	—	—	whitelisted
7952	svchost.exe	GET	206	23.48.23.41:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b6504465-5cb2-460e-b2f1-b5b13d55ce37?P1=1725691479&P2=404&P3=2&P4=R%2f9MVgjc2dNL0XuTcL3crAfulhtOzuJZm4cPM3R88X5hVBH%2fAut6FY4JjOpH6Y%2bngh8B%2b2TkOx2SwxDBRbV7%2bA%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6876	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6020	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6876	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1944	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1944	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6308	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59 51.124.78.146	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
login.live.com	20.190.160.14 40.126.32.74 20.190.160.22 40.126.32.136 40.126.32.76 40.126.32.140 40.126.32.133 40.126.32.138	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
aka.ms	2.22.34.124	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
api.edgeoffer.microsoft.com	52.153.155.231	whitelisted
business.bing.com	13.107.6.158	whitelisted

Threats

No threats detected

Add for printing

Process	Message
Aviator-Hack.exe	A fatal error occurred. The required library hostfxr.dll could not be found. If this is a self-contained application, that library should exist in [C:\Users\admin\Desktop\Aviator-Predictor-FULL-main\net6.0-windows\]. If this is a framework-dependent application, install the runtime in the global location [C:\Program Files\dotnet] or use the DOTNET_ROOT environment variable to specify the runtime location or register the runtime location in [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x64\InstallLocation].
Aviator-Hack.exe	The .NET runtime can be found at:
Aviator-Hack.exe	- https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.2
Aviator-Hack.exe	Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 5712. Message ID: [0x2509].

General Info

Aviator-Predictor-FULL-main (1).zip

2AD477B9C4FE0AC1F42E8D3FDBB5568A

6DEAEEF8409DCCD218EAA4C69CB1B52E104F7D84

05C3F1186CE7E2E82F2D6CE4770FFDC1D170CDABC1298595D8A6EA26BC230829

49152:ZJR8Em3mNAIhOR+wwehGP/bzLFfolk/Ml753S7BOuW6R5TR54tPa9m8ES0A5K4/v:zR8TmNAIhORhdM/LFfEk/Ml13A1PTRSo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Starts a Microsoft application from unusual location

Starts itself from another location

Reads the date of Windows installation

Drops the executable file immediately after the start

Process drops legitimate windows executable

Searches for installed software

Reads the Windows owner or organization settings

Creates a software uninstall entry

The process drops C-runtime libraries

The process creates files with name similar to system file names

Checks Windows Trust Settings

INFO

The process uses the downloaded file

Reads the computer name

Reads the software policy settings

Create files in a temporary directory

Executable content was dropped or overwritten

Reads Microsoft Office registry keys

Manual execution by a user

Checks supported languages

Application launched itself

Reads Environment values

Creates files in the program directory

Reads the machine GUID from the registry

Creates a software uninstall entry

Checks proxy server information

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings