Malware analysis /ai-aimbot/AIMr/files/15284124/AIMr.zip Malicious activity

Add for printing

download:	/ai-aimbot/AIMr/files/15284124/AIMr.zip
Full analysis:	https://app.any.run/tasks/b158c984-9eeb-43f7-84d7-6e2e2961581e
Verdict:	Malicious activity
Analysis date:	July 24, 2024, 19:24:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github python evasion
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	DBC2DE4B885B9626D6CF8323B080C60F
SHA1:	3D48A93873DCD8B61ECF166EC12C8CBE6A9A52E4
SHA256:	F534F51BFB6136975B3CD469EEF6285043D47466AA103FD2F2996FBF9CE3868E
SSDEEP:	98304:hKBBgVhsrFFD4Aw6DFM65Es07jZKmH/krpzj1ELj9hpU/1c0J/7dY21l3vs+YXGc:37D82JbtaZL9q2diCmkPNk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 116)
  - AIMr.exe (PID: 5032)
SUSPICIOUS
- Executable content was dropped or overwritten
  - AIMr.exe (PID: 5032)
- The process drops C-runtime libraries
  - AIMr.exe (PID: 5032)
- Process drops python dynamic module
  - AIMr.exe (PID: 5032)
- Process drops legitimate windows executable
  - AIMr.exe (PID: 5032)
- Application launched itself
  - AIMr.exe (PID: 5032)
- Uses WMIC.EXE to obtain Windows Installer data
  - AIMr.exe (PID: 6956)
- Loads Python modules
  - AIMr.exe (PID: 6956)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 3480)
INFO
- Checks supported languages
  - AIMr.exe (PID: 5032)
  - AIMr.exe (PID: 6956)
  - TextInputHost.exe (PID: 7232)
- Reads the computer name
  - AIMr.exe (PID: 5032)
  - AIMr.exe (PID: 6956)
  - TextInputHost.exe (PID: 7232)
- Manual execution by a user
  - AIMr.exe (PID: 5032)
  - firefox.exe (PID: 6288)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 116)
- Create files in a temporary directory
  - AIMr.exe (PID: 5032)
- Reads the machine GUID from the registry
  - AIMr.exe (PID: 6956)
- Checks proxy server information
  - AIMr.exe (PID: 6956)
  - slui.exe (PID: 6364)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 3480)
- Application launched itself
  - firefox.exe (PID: 7132)
  - firefox.exe (PID: 6288)
- Reads Microsoft Office registry keys
  - firefox.exe (PID: 7132)
- Reads the software policy settings
  - slui.exe (PID: 6364)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:05:11 12:45:10
ZipCRC:	0xf4d6834f
ZipCompressedSize:	7363385
ZipUncompressedSize:	7548828
ZipFileName:	AIMr.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

156

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\AIMr.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

132

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 1516 -prefsLen 30953 -prefMapSize 244343 -jsInitHandle 1440 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8843d45-ab69-49bf-8a22-fb0e9510d305} 7132 "\\.\pipe\gecko-crash-server-pipe.7132" 1d47f76c150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

1132

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

AIMr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3480

wmic csproduct get uuid

C:\Windows\System32\wbem\WMIC.exe

—

AIMr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

5032

"C:\Users\admin\Desktop\AIMr.exe"

C:\Users\admin\Desktop\AIMr.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\desktop\aimr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

5664

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20240213221259 -prefsHandle 2284 -prefMapHandle 2252 -prefsLen 30537 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9b9194c-04a2-4901-8d91-e88b525a489e} 7132 "\\.\pipe\gecko-crash-server-pipe.7132" 1d46d380d10 socket

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

5776

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240213221259 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 30537 -prefMapSize 244343 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d0d9581-21e7-46b3-b4bb-3397f691464d} 7132 "\\.\pipe\gecko-crash-server-pipe.7132" 1d479eea210 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

6288

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

—

explorer.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

6364

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

6956

"C:\Users\admin\Desktop\AIMr.exe"

C:\Users\admin\Desktop\AIMr.exe

AIMr.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\desktop\aimr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

Add for printing

Total events

30 494

Read events

30 454

Write events

Delete events

Modification events


(PID) Process:	(116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\AIMr.zip
(PID) Process:	(116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6288) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher
Value: 7DA101C900000000
(PID) Process:	(7132) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: AA5902C900000000

Add for printing

Executable files

Suspicious files

201

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5032	AIMr.exe	C:\Users\admin\AppData\Local\Temp\_MEI50322\VCRUNTIME140.dll		executable
		MD5:8697C106593E93C11ADC34FAA483C4A0	SHA256:FF43E813785EE948A937B642B03050BB4B1C6A5E23049646B891A66F65D4C833
5032	AIMr.exe	C:\Users\admin\AppData\Local\Temp\_MEI50322\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:E5912B05988259DAD0D6D04C8A17D19B	SHA256:9F3608C15C5DE2F577A2220CE124B530825717D778F1E3941E536A3AB691F733
5032	AIMr.exe	C:\Users\admin\AppData\Local\Temp\_MEI50322\_bz2.pyd		executable
		MD5:054708E16D5775C58669CB2AA4E2CE88	SHA256:FD08E5A2AA5D4E5C413C87A2193044B568E2A2C01AE0EBFEBDE56C42BB7A80B9
5032	AIMr.exe	C:\Users\admin\AppData\Local\Temp\_MEI50322\_ctypes.pyd		executable
		MD5:11399D7C6D62ED339ADA949DCF41F127	SHA256:AF49DBAB240639E26C6186122B1E660FC33B15105D67C2523A162BEE0F75A46B
5032	AIMr.exe	C:\Users\admin\AppData\Local\Temp\_MEI50322\_socket.pyd		executable
		MD5:6DF98284426330435E5AA6B8434CF461	SHA256:153F1D66C0FD99A6FBC77496F8A91591D8850A122CC57B99A2AF95FA58951401
116	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa116.38759\AIMr.exe		executable
		MD5:ADCD61646DD9EE3238279FF36DC0E88E	SHA256:481865D699E7B4DC3C160E33181F4D2A82067D2D03DD661E0C8FBE047E9F283C
5032	AIMr.exe	C:\Users\admin\AppData\Local\Temp\_MEI50322\_ssl.pyd		executable
		MD5:B2EC752BF3928BF6C8A8F1EE36CA5607	SHA256:E65568773DB94E6F2DD33B5973DEEAD718ADC8BC47E99ABDF314C7629C359E5B
5032	AIMr.exe	C:\Users\admin\AppData\Local\Temp\_MEI50322\api-ms-win-core-file-l1-1-0.dll		executable
		MD5:241338AEF5E2C18C80FB1DB07AA8BCDF	SHA256:56DE091EFE467FE23CC989C1EE21F3249A1BDB2178B51511E3BD514DF12C5CCB
5032	AIMr.exe	C:\Users\admin\AppData\Local\Temp\_MEI50322\api-ms-win-core-heap-l1-1-0.dll		executable
		MD5:CDC266896E0DBE6C73542F6DEC19DE23	SHA256:87A5C5475E9C26FABFEAD6802DAC8A62E2807E50E0D18C4BFADCB15EBF5BCBC0
5032	AIMr.exe	C:\Users\admin\AppData\Local\Temp\_MEI50322\_lzma.pyd		executable
		MD5:012D4FF37E52E0D258BDBBE4C17FC012	SHA256:D6297ABB919F3F69E94C035FCA327E56841E5ABEBBFF29FF95FE0A68BE46432D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

154

DNS requests

219

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5272	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6856	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
7132	firefox.exe	POST	200	2.16.241.15:80	http://r10.o.lencr.org/	unknown	—	—	—
7132	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
7132	firefox.exe	POST	200	2.16.241.12:80	http://r3.o.lencr.org/	unknown	—	—	—
7132	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
7132	firefox.exe	POST	200	2.16.241.15:80	http://r10.o.lencr.org/	unknown	—	—	—
7132	firefox.exe	POST	200	2.16.241.15:80	http://r10.o.lencr.org/	unknown	—	—	—
7132	firefox.exe	POST	200	2.16.241.15:80	http://r11.o.lencr.org/	unknown	—	—	—
7132	firefox.exe	POST	200	142.250.186.35:80	http://o.pki.goog/wr2	unknown	—	—	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6012	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4360	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3380	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	2.23.209.182:443	www.bing.com	Akamai International B.V.	GB	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4204	svchost.exe	4.209.32.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6956	AIMr.exe	185.199.111.133:443	raw.githubusercontent.com	FASTLY	US	unknown
1952	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208	whitelisted
google.com	142.250.184.206	whitelisted
raw.githubusercontent.com	185.199.111.133 185.199.108.133 185.199.109.133 185.199.110.133 2606:50c0:8001::154 2606:50c0:8003::154 2606:50c0:8000::154 2606:50c0:8002::154	shared
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted
login.live.com	20.190.160.17 40.126.32.134 20.190.160.14 40.126.32.140 40.126.32.76 40.126.32.136 40.126.32.68 20.190.160.20	whitelisted
ocsp.digicert.com	13.107.246.45	whitelisted
www.bing.com	2.23.209.149 2.23.209.185 2.23.209.187 2.23.209.133 2.23.209.182 2.23.209.179 2.23.209.176 2.23.209.130	whitelisted
arc.msn.com	20.223.36.55	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted

Threats

PID	Process	Class	Message
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Misc activity	ET INFO URL Shortener Service Domain in DNS Lookup (is .gd)
—	—	Misc activity	ET INFO URL Shortener Service Domain in DNS Lookup (is .gd)
—	—	Misc activity	ET INFO URL Shortener Service Domain in DNS Lookup (is .gd)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
—	—	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
—	—	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
—	—	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup

Add for printing

No debug info

General Info

/ai-aimbot/AIMr/files/15284124/AIMr.zip

DBC2DE4B885B9626D6CF8323B080C60F

3D48A93873DCD8B61ECF166EC12C8CBE6A9A52E4

F534F51BFB6136975B3CD469EEF6285043D47466AA103FD2F2996FBF9CE3868E

98304:hKBBgVhsrFFD4Aw6DFM65Es07jZKmH/krpzj1ELj9hpU/1c0J/7dY21l3vs+YXGc:37D82JbtaZL9q2diCmkPNk

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executable content was dropped or overwritten

The process drops C-runtime libraries

Process drops python dynamic module

Process drops legitimate windows executable

Application launched itself

Uses WMIC.EXE to obtain Windows Installer data

Loads Python modules

Accesses product unique identifier via WMI (SCRIPT)

INFO

Checks supported languages

Reads the computer name

Manual execution by a user

Executable content was dropped or overwritten

Create files in a temporary directory

Reads the machine GUID from the registry

Checks proxy server information

Reads security settings of Internet Explorer

Application launched itself

Reads Microsoft Office registry keys

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings