Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
start.exe

Overview

General Information

Sample name:start.exe
Analysis ID:1632627
MD5:9bd30c73e3652e947d51bf577da5b0f6
SHA1:37ba3977a205ec4431c6fbea7cdb3a3f9ee7c866
SHA256:b36a7ff87354b13aef46513945abf0aa8cef9bf6be7b81a00a694a7a695e0625
Tags:exeuser-BastianHein
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Shutdown to Log Out
Sigma detected: Suspicious Schtasks From Env Var Folder
Spawns drivers
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • start.exe (PID: 7812 cmdline: "C:\Users\user\Desktop\start.exe" MD5: 9BD30C73E3652E947D51BF577DA5B0F6)
    • powershell.exe (PID: 8028 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Aim.exe (PID: 7652 cmdline: "C:\Users\user\AppData\Local\Temp\Aim.exe" MD5: 8A22241E33ED1F6E6054C67270E5D847)
      • cmd.exe (PID: 8084 cmdline: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8036 cmdline: schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • cmd.exe (PID: 8108 cmdline: "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 4248 cmdline: schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • cmd.exe (PID: 7616 cmdline: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 1320 cmdline: schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • cmd.exe (PID: 5688 cmdline: "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7440 cmdline: schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • cmd.exe (PID: 1020 cmdline: "C:\Windows\System32\cmd.exe" /c Shutdown /l /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • shutdown.exe (PID: 7700 cmdline: Shutdown /l /f MD5: F2A4E18DA72BB2C5B21076A5DE382A20)
    • catlavan (4).exe (PID: 7560 cmdline: "C:\Users\user\AppData\Local\Temp\catlavan (4).exe" MD5: DB718CE479F0DCE3B97BDFA0A7D2D097)
      • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6072 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System23.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • System23.exe (PID: 3152 cmdline: "C:\Users\user\AppData\Local\Temp\System23.exe" MD5: F18A37264FA5FE97685CFF0CC5682AB8)
      • cmd.exe (PID: 2896 cmdline: "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "MicrosoftEdgeUpdateMachineCore" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 4212 cmdline: schtasks /create /f /sc minute /mo 3 /tn "MicrosoftEdgeUpdateMachineCore" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • winplay.exe (PID: 7200 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe MD5: 8A22241E33ED1F6E6054C67270E5D847)
  • Commonuodate.exe (PID: 1464 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe MD5: 8A22241E33ED1F6E6054C67270E5D847)
  • Aim.exe (PID: 8092 cmdline: "C:\Users\user\AppData\Local\Temp\Aim.exe" MD5: 8A22241E33ED1F6E6054C67270E5D847)
  • Aim.exe (PID: 7624 cmdline: "C:\Users\user\AppData\Local\Temp\Aim.exe" MD5: 8A22241E33ED1F6E6054C67270E5D847)
  • Commonuodate.exe (PID: 3616 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe MD5: 8A22241E33ED1F6E6054C67270E5D847)
  • System23.exe (PID: 408 cmdline: "C:\Users\user\AppData\Local\Temp\System23.exe" MD5: F18A37264FA5FE97685CFF0CC5682AB8)
  • System23.exe (PID: 4956 cmdline: "C:\Users\user\AppData\Local\Temp\System23.exe" MD5: F18A37264FA5FE97685CFF0CC5682AB8)
  • LogonUI.exe (PID: 3944 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa3825855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 7432 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa382a855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 2104 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 1900 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3832055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2193496091.00000267FE640000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
  • 0x354b1:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
  • 0x35400:$s2: L2Mgc2NodGFza3MgL2
0000001E.00000002.1549661324.0000023F76D00000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
  • 0x179e1:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
  • 0x17a2f:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
  • 0x17a7d:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
00000025.00000002.1729025242.000001F2D0D60000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
  • 0x17a49:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
  • 0x17a97:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
  • 0x17ae5:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

Unpacked PEs

SourceRuleDescriptionAuthorStrings
30.2.Aim.exe.23f1006d9e8.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
  • 0x15be1:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
  • 0x15c2f:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
  • 0x15c7d:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
30.2.Aim.exe.23f76d00000.3.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
  • 0x15be1:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
  • 0x15c2f:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
  • 0x15c7d:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
37.2.System23.exe.1f2d0d60000.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
  • 0x17a49:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
  • 0x17a97:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
  • 0x17ae5:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
37.2.System23.exe.1f2e261d9e8.3.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
  • 0x15c49:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
  • 0x15c97:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
  • 0x15ce5:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
37.2.System23.exe.1f2d0d60000.1.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
  • 0x15c49:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
  • 0x15c97:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
  • 0x15ce5:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
Click to see the 7 entries

Sigma Signatures

System Summary

barindex
Sigma detected: New RUN Key Pointing to Suspicious Folder
Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Aim.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\start.exe, ProcessId: 7812, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aim
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\start.exe", ParentImage: C:\Users\user\Desktop\start.exe, ParentProcessId: 7812, ParentProcessName: start.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', ProcessId: 8028, ProcessName: powershell.exe
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\start.exe", ParentImage: C:\Users\user\Desktop\start.exe, ParentProcessId: 7812, ParentProcessName: start.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', ProcessId: 8028, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\start.exe", ParentImage: C:\Users\user\Desktop\start.exe, ParentProcessId: 7812, ParentProcessName: start.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', ProcessId: 8028, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\start.exe", ParentImage: C:\Users\user\Desktop\start.exe, ParentProcessId: 7812, ParentProcessName: start.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', ProcessId: 8028, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Aim.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\start.exe, ProcessId: 7812, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aim
Sigma detected: CurrentVersion NT Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\System32\userinit.exe,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Aim.exe, ProcessId: 7652, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cdd.dll, NewProcessName: C:\Windows\System32\cdd.dll, OriginalFileName: C:\Windows\System32\cdd.dll, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: cdd.dll
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\start.exe", ParentImage: C:\Users\user\Desktop\start.exe, ParentProcessId: 7812, ParentProcessName: start.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', ProcessId: 8028, ProcessName: powershell.exe
Sigma detected: Suspicious Execution of Shutdown to Log Out
Source: Process startedAuthor: frack113: Data: Command: Shutdown /l /f, CommandLine: Shutdown /l /f, CommandLine|base64offset|contains: Jv', Image: C:\Windows\System32\shutdown.exe, NewProcessName: C:\Windows\System32\shutdown.exe, OriginalFileName: C:\Windows\System32\shutdown.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c Shutdown /l /f, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1020, ParentProcessName: cmd.exe, ProcessCommandLine: Shutdown /l /f, ProcessId: 7700, ProcessName: shutdown.exe
Sigma detected: Suspicious Schtasks From Env Var Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" , CommandLine: schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8084, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" , ProcessId: 8036, ProcessName: schtasks.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\start.exe", ParentImage: C:\Users\user\Desktop\start.exe, ParentProcessId: 7812, ParentProcessName: start.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe', ProcessId: 8028, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-08T14:51:17.428762+010020589981A Network Trojan was detected192.168.2.449722147.185.221.2643378TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: start.exeAvira: detected
Antivirus detection for URL or domain
Source: http://fpsuabooster.ru/opencl.dllAC:Avira URL Cloud: Label: malware
Source: http://fpsuabooster.ru/opencl.dllAvira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeAvira: detection malicious, Label: HEUR/AGEN.1315477
Source: C:\Windows\System32\Wincall.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\Aim.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\System23.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: start.exeReversingLabs: Detection: 57%
Source: start.exeVirustotal: Detection: 56%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: start.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: start.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2058998 - Severity 1 - ET MALWARE Sheet RAT CnC Checkin : 192.168.2.4:49722 -> 147.185.221.26:43378
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 1448
Source: unknownNetwork traffic detected: HTTP traffic on port 1448 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 1448
Source: unknownNetwork traffic detected: HTTP traffic on port 1448 -> 49721
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 147.185.221.22:33793
Source: global trafficTCP traffic: 192.168.2.4:49721 -> 185.17.0.102:1448
Source: global trafficTCP traffic: 192.168.2.4:49722 -> 147.185.221.26:43378
Source: Joe Sandbox ViewIP Address: 147.185.221.22 147.185.221.22
Source: Joe Sandbox ViewIP Address: 147.185.221.26 147.185.221.26
Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.102
Source: global trafficHTTP traffic detected: GET /api/getKeys HTTP/1.1User-Agent: HTTPGETHost: 185.17.0.102:1448Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /api/version?version=UWdJWjVaazVQNHJ3SklrODBGYVZDeE5SUHpC HTTP/1.1User-Agent: HTTPGETHost: 185.17.0.102:1448Cache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: northern-tigers.gl.at.ply.gg
Source: global trafficDNS traffic detected: DNS query: apply-rage.gl.at.ply.gg
Source: global trafficDNS traffic detected: DNS query: api.msn.com
Source: catlavan (4).exe, 0000000C.00000002.2118697081.000000000045B000.00000004.00000020.00020000.00000000.sdmp, catlavan (4).exe, 0000000C.00000002.2118697081.000000000040C000.00000004.00000020.00020000.00000000.sdmp, catlavan (4).exe, 0000000C.00000002.2118697081.0000000000423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.17.0.102:1448/api/getKeys
Source: catlavan (4).exe, 0000000C.00000002.2118697081.000000000040C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.17.0.102:1448/api/getKeysF
Source: catlavan (4).exe, 0000000C.00000002.2118697081.0000000000436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.17.0.102:1448/api/version?version=UWdJWjVaazVQNHJ3SklrODBGYVZDeE5SUHpC
Source: catlavan (4).exe, 0000000C.00000002.2118697081.0000000000471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.17.0.102:1448/api/version?version=UWdJWjVaazVQNHJ3SklrODBGYVZDeE5SUHpC%
Source: catlavan (4).exe, 0000000C.00000002.2118697081.0000000000471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.17.0.102:1448/api/version?version=UWdJWjVaazVQNHJ3SklrODBGYVZDeE5SUHpC(
Source: catlavan (4).exe, 0000000C.00000002.2118697081.000000000045B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.17.0.102:1448/api/version?version=UWdJWjVaazVQNHJ3SklrODBGYVZDeE5SUHpC9
Source: catlavan (4).exe, 0000000C.00000002.2118697081.0000000000471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.17.0.102:1448/api/version?version=UWdJWjVaazVQNHJ3SklrODBGYVZDeE5SUHpCP
Source: catlavan (4).exe, 0000000C.00000002.2118697081.0000000000471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.17.0.102:1448/api/version?version=UWdJWjVaazVQNHJ3SklrODBGYVZDeE5SUHpCn
Source: powershell.exe, 00000002.00000002.1327897245.00000227695D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
Source: Aim.exe, 0000000A.00000002.2119874133.00000267803E2000.00000004.00000800.00020000.00000000.sdmp, Aim.exe, 0000000A.00000002.2119874133.0000026780001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fpsuabooster.ru/opencl.dll
Source: Aim.exe, 0000000A.00000002.2171388163.0000026790143000.00000004.00000800.00020000.00000000.sdmp, Aim.exe, 0000000A.00000002.2193496091.00000267FE640000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://fpsuabooster.ru/opencl.dllAC:
Source: powershell.exe, 00000002.00000002.1314781000.0000022761086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1549673558.000001CBBC3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.1424632859.000001CBAC558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1265604420.000002275123B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1424632859.000001CBAC558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1265604420.0000022751011000.00000004.00000800.00020000.00000000.sdmp, Aim.exe, 0000000A.00000002.2119874133.0000026780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1424632859.000001CBAC331000.00000004.00000800.00020000.00000000.sdmp, winplay.exe, 0000001C.00000002.1662950595.000002D2B8CA1000.00000004.00000800.00020000.00000000.sdmp, Commonuodate.exe, 0000001D.00000002.1658475412.0000011286D51000.00000004.00000800.00020000.00000000.sdmp, Aim.exe, 0000001E.00000002.1523189191.0000023F00001000.00000004.00000800.00020000.00000000.sdmp, Aim.exe, 0000001F.00000002.1599313298.000001C8377F4000.00000004.00000800.00020000.00000000.sdmp, System23.exe, 00000020.00000002.2136002155.00000261D4061000.00000004.00000800.00020000.00000000.sdmp, Commonuodate.exe, 00000024.00000002.1712574629.0000027200001000.00000004.00000800.00020000.00000000.sdmp, System23.exe, 00000025.00000002.1729918351.000001F2D25B1000.00000004.00000800.00020000.00000000.sdmp, System23.exe, 00000026.00000002.1814391280.000001F52A073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1265604420.000002275123B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1424632859.000001CBAC558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.1424632859.000001CBAC558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1265604420.0000022751011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1424632859.000001CBAC331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000E.00000002.1549673558.000001CBBC3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.1549673558.000001CBBC3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.1549673558.000001CBBC3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.1424632859.000001CBAC558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1314781000.0000022761086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1549673558.000001CBBC3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 30.2.Aim.exe.23f1006d9e8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.2.Aim.exe.23f76d00000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 37.2.System23.exe.1f2d0d60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 37.2.System23.exe.1f2e261d9e8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 37.2.System23.exe.1f2d0d60000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.2.Aim.exe.23f76d00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.Aim.exe.267901e91b0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.Aim.exe.267fe640000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 37.2.System23.exe.1f2e261d9e8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.2.Aim.exe.23f1006d9e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0000000A.00000002.2193496091.00000267FE640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0000001E.00000002.1549661324.0000023F76D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000025.00000002.1729025242.000001F2D0D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
.NET source code contains very large strings
Source: System23.exe.0.dr, _Logger_DoWork.csLong String: Length: 148824
Source: Aim.exe.0.dr, Invoke.csLong String: Length: 148824
Source: Commonuodate.exe.10.dr, Invoke.csLong String: Length: 148824
Source: winplay.exe.10.dr, Invoke.csLong String: Length: 148824
Source: 30.2.Aim.exe.23f10088e20.1.raw.unpack, Invoke.csLong String: Length: 148824
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\shutdown.exe Shutdown /l /f
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC3361B NtProtectVirtualMemory,10_2_00007FFC3DC3361B
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC31810 NtQueryInformationProcess,10_2_00007FFC3DC31810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC21810 NtQueryInformationProcess,28_2_00007FFC3DC21810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC2361B NtProtectVirtualMemory,28_2_00007FFC3DC2361B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC41810 NtQueryInformationProcess,29_2_00007FFC3DC41810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC43605 NtProtectVirtualMemory,29_2_00007FFC3DC43605
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC41810 NtQueryInformationProcess,30_2_00007FFC3DC41810
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC43605 NtProtectVirtualMemory,30_2_00007FFC3DC43605
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC11810 NtQueryInformationProcess,31_2_00007FFC3DC11810
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC13605 NtProtectVirtualMemory,31_2_00007FFC3DC13605
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC53615 NtProtectVirtualMemory,32_2_00007FFC3DC53615
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC51810 NtQueryInformationProcess,32_2_00007FFC3DC51810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC31810 NtQueryInformationProcess,36_2_00007FFC3DC31810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC3361B NtProtectVirtualMemory,36_2_00007FFC3DC3361B
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC31810 NtQueryInformationProcess,37_2_00007FFC3DC31810
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC3362B NtProtectVirtualMemory,37_2_00007FFC3DC3362B
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC21810 NtQueryInformationProcess,38_2_00007FFC3DC21810
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC2362B NtProtectVirtualMemory,38_2_00007FFC3DC2362B
Source: C:\Users\user\AppData\Local\Temp\System23.exeFile created: C:\Windows\System32\Wincall.exe
Source: C:\Users\user\Desktop\start.exeCode function: 0_2_00007FFC3DC50AAD0_2_00007FFC3DC50AAD
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC3153810_2_00007FFC3DC31538
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC68CD010_2_00007FFC3DC68CD0
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC32CAB10_2_00007FFC3DC32CAB
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC3A06010_2_00007FFC3DC3A060
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC3181010_2_00007FFC3DC31810
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC4903010_2_00007FFC3DC49030
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC57F5010_2_00007FFC3DC57F50
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC33F1010_2_00007FFC3DC33F10
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC4172210_2_00007FFC3DC41722
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC3CA5010_2_00007FFC3DC3CA50
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC4097610_2_00007FFC3DC40976
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC3A11010_2_00007FFC3DC3A110
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC308AD10_2_00007FFC3DC308AD
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC4444B10_2_00007FFC3DC4444B
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC38A7D10_2_00007FFC3DC38A7D
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC338D810_2_00007FFC3DC338D8
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC395AB10_2_00007FFC3DC395AB
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC33FF010_2_00007FFC3DC33FF0
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC34E9510_2_00007FFC3DC34E95
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC3CA3110_2_00007FFC3DC3CA31
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC491D310_2_00007FFC3DC491D3
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC333BB10_2_00007FFC3DC333BB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC2181028_2_00007FFC3DC21810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC23F1028_2_00007FFC3DC23F10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC2153828_2_00007FFC3DC21538
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC208AD28_2_00007FFC3DC208AD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC26A7B28_2_00007FFC3DC26A7B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC21FF128_2_00007FFC3DC21FF1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC23FF028_2_00007FFC3DC23FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC233BB28_2_00007FFC3DC233BB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC24E9528_2_00007FFC3DC24E95
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC22CAB28_2_00007FFC3DC22CAB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC4181029_2_00007FFC3DC41810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC43F1029_2_00007FFC3DC43F10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC4153829_2_00007FFC3DC41538
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC408AD29_2_00007FFC3DC408AD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC46A1929_2_00007FFC3DC46A19
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC41FF129_2_00007FFC3DC41FF1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC43FF029_2_00007FFC3DC43FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC4338629_2_00007FFC3DC43386
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC44E9529_2_00007FFC3DC44E95
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC42C9D29_2_00007FFC3DC42C9D
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC4181030_2_00007FFC3DC41810
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC463B030_2_00007FFC3DC463B0
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC43F1030_2_00007FFC3DC43F10
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC4153830_2_00007FFC3DC41538
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC408AD30_2_00007FFC3DC408AD
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC43FF030_2_00007FFC3DC43FF0
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC4338630_2_00007FFC3DC43386
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC44E9530_2_00007FFC3DC44E95
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC42C9D30_2_00007FFC3DC42C9D
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC1181031_2_00007FFC3DC11810
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC16A1931_2_00007FFC3DC16A19
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC1153831_2_00007FFC3DC11538
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC108AD31_2_00007FFC3DC108AD
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC13FF031_2_00007FFC3DC13FF0
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC11FF131_2_00007FFC3DC11FF1
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC1338631_2_00007FFC3DC13386
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC14E9531_2_00007FFC3DC14E95
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC12C9D31_2_00007FFC3DC12C9D
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5390832_2_00007FFC3DC53908
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5153832_2_00007FFC3DC51538
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC6012632_2_00007FFC3DC60126
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC508AD32_2_00007FFC3DC508AD
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC52C9D32_2_00007FFC3DC52C9D
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5B05332_2_00007FFC3DC5B053
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5A85832_2_00007FFC3DC5A858
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5407032_2_00007FFC3DC54070
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5181032_2_00007FFC3DC51810
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC60F1B32_2_00007FFC3DC60F1B
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC53F2032_2_00007FFC3DC53F20
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5A6D032_2_00007FFC3DC5A6D0
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC56E2A32_2_00007FFC3DC56E2A
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC590FF32_2_00007FFC3DC590FF
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5400032_2_00007FFC3DC54000
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC59BE632_2_00007FFC3DC59BE6
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5339632_2_00007FFC3DC53396
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC54EA532_2_00007FFC3DC54EA5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC3181036_2_00007FFC3DC31810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC33F1036_2_00007FFC3DC33F10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC3153836_2_00007FFC3DC31538
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC308AD36_2_00007FFC3DC308AD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC36A7B36_2_00007FFC3DC36A7B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC33FF036_2_00007FFC3DC33FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC31FF136_2_00007FFC3DC31FF1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC333BB36_2_00007FFC3DC333BB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC34E9536_2_00007FFC3DC34E95
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 36_2_00007FFC3DC32CAB36_2_00007FFC3DC32CAB
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC3407037_2_00007FFC3DC34070
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC3181037_2_00007FFC3DC31810
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC3710B37_2_00007FFC3DC3710B
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC3153837_2_00007FFC3DC31538
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC308AD37_2_00007FFC3DC308AD
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC3400037_2_00007FFC3DC34000
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC333CB37_2_00007FFC3DC333CB
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC34EA537_2_00007FFC3DC34EA5
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 37_2_00007FFC3DC32CAB37_2_00007FFC3DC32CAB
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC2181038_2_00007FFC3DC21810
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC26A2938_2_00007FFC3DC26A29
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC2153838_2_00007FFC3DC21538
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC208AD38_2_00007FFC3DC208AD
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC2400038_2_00007FFC3DC24000
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC233CB38_2_00007FFC3DC233CB
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC24EA538_2_00007FFC3DC24EA5
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 38_2_00007FFC3DC22CAB38_2_00007FFC3DC22CAB
Source: start.exe, 00000000.00000002.1610552707.0000000004BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCriptor.exe0 vs start.exe
Source: unknownDriver loaded: C:\Windows\System32\cdd.dll
Source: start.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 30.2.Aim.exe.23f1006d9e8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.2.Aim.exe.23f76d00000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 37.2.System23.exe.1f2d0d60000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 37.2.System23.exe.1f2e261d9e8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 37.2.System23.exe.1f2d0d60000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.2.Aim.exe.23f76d00000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.Aim.exe.267901e91b0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.Aim.exe.267fe640000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 37.2.System23.exe.1f2e261d9e8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.2.Aim.exe.23f1006d9e8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0000000A.00000002.2193496091.00000267FE640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0000001E.00000002.1549661324.0000023F76D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000025.00000002.1729025242.000001F2D0D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, TaskSchedulerSnapshot.csTask registration methods: 'InternalCreate', 'Create'
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: System23.exe.0.dr, _Logger_DoWork.csBase64 encoded string: 'idDzLKeCwT++hrFCdPQmfRSvMpwfHPb1SxFDTVIrsH/t7qEKYGMReKNAVyihHHC+/W/7WDx356P5SK9/jw3EUjxyicYcurT34MSxMoE8MbXJkbvL+BUNOgU5nQrDYMq9zEQ99MfZgSifyzd1E1lfwd8nghpbCvl5PRCAGMrimapeTK2E9+sPNmcKD2BXbbgV49id0fiKqJogiA8nr/gi8RbWhVmGRSb1jYdZsIoWYVkM4aH2FS4GvyR2xOpFT7HCC712y5T3ZcMAiuHQV3y9c/ZmhEQJTiBR17mzDUv1ctCuqFnETsTQ1ku2t6e11o5IQCOCWsRnVVOusp7xPFpqf3ARjEQ8RlWLZObZjcB2Mca0Za9QAj6svslqxfcmAnQgMpn3B3Sjdx3lLCnFvK5LK5Vpkt73WMY02bWg/ORdr6oFgonfMYIyss6usKsJjfJH+mutoToYU1SenmX2bbACTXPktYHirf0Xsg9W1b9TuWQ1xEIphYf2QTZoMYbXRJY2hnyZLck+z6OzykWhPmdegQDLw8C3C3IPc9qOpaJZz5qvwymN5hwgl6l9dNrCc0k5qUcOt5vpdWvqoCLt5LOsIZZejMmqZHAX/v65jloXS3lFo8A1kcyPqBxKoBVlV5b5EFKOCUAFYz5gobnBPVoi41KwxhFVXydv89cshr5tx7SNjS3e0cqAd6ef0LWPh9B26qSbmZiwdzus18dtqPnEtwhpc2t2ktQsii3jk5sq5fJmDUvu7wx1/ZBKxHb6SVkAve4nUMNzkbeZjVJFFFmyaETC/CSalWy6atgko62tmy8pY4Ol0mt1DjznhrfJk4CXpJfEsV+/o4eeDobM+6rLAmoDafVpSSXI4gV3asKUPeGhEf/pAv8LCd8xdLT/BY59oV3khr1Y8YF9OHduqLDGfrrYtKKq8nOGdYSHecTGpW+45xbC1mcspfQ/usdZ8soyyov3auNto04pQ1Vo1dO5xipdHcV4zbLCWdXGmezTD8FAE13jW0XaDo4eN3/ITT7ksslmouqxlFon7ZoEhOPFAHkwNiprrJ0W0VHIc8Mb1w/kvmNshOJ7JAVWgfaZm2qOokOW2obNqlynZe6TJO7sWLV+QR6oLeB/1AwF3RbB7QjvwVWhCDsoOYqtyEZr2v38wVxPk5oyCLDE5vRdy0WEsqcysEK8e7jvXbvILQ5GUutbnFruy9Xh2cyoKoWOh7Unki31DjrbQP6woJ4xxU6i2U8eJJx63fJzgtuOMFPqR29K5DWvRjGcuRLYR7505457QcTjUW70TAAF2Um3kLJEz2e3ryVQr5fwv09V44aZyI92RJzJLivS+qMWLPnPKeFwFT+5r58ofadQ9hS0KaeEJkgYpr72WXnsCjfsda571Tq3UYZs+YvtxYK7GkAp+b/x1QpMDXtcpHWDPyylAA3S493WO9RnHLCSFMXhkSVH9TmouDQfsb2Z9yWe48ueDRvTeigljbeo1J0TtBn9D5fc2hKJtI0rmO8v8DVwcDXwopYcBQmv3yc1XemeRgRtNs3JtJX/DWvTQMZKgEW70kdZJvBKd+uvTZosN3vRaFURohf8mk1n13XShx6sgjdpUecgSs0VE0W0jZ8CouOSVYnXLuvJy+0dTaz3TumuVEY+BxYLL5FwhLo73fxKZo9zVq2Ly05Q2CMO1DBl1eIt+vUCV1FCNKfj1zBvcCRVdx8+UzJgdu/Asvd3/xIdEIF3ViZ8onCj11I8wKpfE+mf9nt5XHUeEbq8PqlpufoXKEN7V727+GwxkGzVnLieviRBHTnwghZo1/giwG2CJk4vFkpynNPUy3pDDbol+k+kP4SwkWTqbJqoDrjIrt9ofoAeVsxHRcm9Gmi2vXoP5q5XA6q+qX53zTz72JBeeYAlWHHew8cLW9y+Jt0HXUoHMDhZOB6WsyusqrFFgWQeS+KZe8Y6h/PZdKwhs61TLq5N+yqPCNLq4z/9UeEbd/8Fc5skLQmhbSEQaw2a3M9uiqoTLoyWaD9mRdWmZZAoLCwbvESBaFfgSuqGbN1sJVpBw9VvgQGKaDf5FHgY7JiGgkU0mFXzTiWZ7sInC/k+wWtVh0DRWoVWsUY5aKdIeeM3pBmeQnzEQtJIRlMX7uw8UPJaGzFhf+eoxiCrUQhHoWjCYwoSffBgIBzuXUAbOMLMErksYhp+M8u35ZfzPiZxP6mb5Jga2XLtRenHF/9xEDu5x563ddLTLLXdp0MLMNbqLTPCLM1tu7hh6rP/oSGXYOfVo4tpKV1fplYL7DSlxutkvZ5u859J6BZzqYM18WXAngT8cEhCWaEE4egYKNivtbirkbgjiwFfpruBpvFs38kBSNNCS3/Kuxr1qkbz5YNIPPHRcECGkAjJ/Z8jMdWCRqjYr71lqsGeetKUXm3gUQbcWVt74p8M0JrfFgCFQ6f9e0ZHxvWMm9rhs1RDpoxLB/M/UGY0ZeheXlWY6NdmRhIA2gS8H3kT81S7F+5MXvaFTFiJfgOsgDlGBivl/mrNTulxsVgo5zVBzuFx+q7a/P8GW41L13fMg5IzOG1qz2MkF6QUIKM1Z/lX19pyF0mz+Wqr8AzKJWDy2rYzwVtw1hOQOuWf/FJQcnY2eXi7t9xtAzQ+Hvh3oYgcMt10Z/w12FWMSsMki/WvysUuGA6N+Pkj3z6RS5KXys9PT69DR79dIakfkat9UdWr3W8TI0iwd6LAqbEt6U6jEjlnpTzmtqK42SUw6abbdIv1ncDQhCdg8FMerbCJ58dQqS8hBTGF7ILbOQmXbitXNpqYn3BncChK7cnHQz/35VtJ7ywEXs/n7X/Nf3z08Q4mYFOIfZZB37m2+doT+QxlU3lOaXHpExhvqCi/Vb2d+ODcfF16Y5sISc0TG3gshp01paJH71f50nH7drx+MX8r4y8Ke9FBARIfX12OVmTG1xLco+g/YoQ7qJYxq1IXq87akMpCkctIXnQ/lbsJaIzP5YmEtowFlsusyvdwVoBP5YI3MC64gcZ
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, HandleNormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, HandleNormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, HandleUninstall.csSecurity API names: File.GetAccessControl
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, HandleUninstall.csSecurity API names: Directory.GetAccessControl
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, HandleUninstall.csSecurity API names: File.SetAccessControl
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, HandleUninstall.csSecurity API names: Directory.SetAccessControl
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, HandleUninstall.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, HandleUninstall.csSecurity API names: File.GetAccessControl
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, HandleUninstall.csSecurity API names: Directory.GetAccessControl
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, HandleUninstall.csSecurity API names: File.SetAccessControl
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, HandleUninstall.csSecurity API names: Directory.SetAccessControl
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, HandleUninstall.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, Packet.csSuspicious URL: 'http://fpsuabooster.ru/opencl.dll'
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, Packet.csSuspicious URL: 'http://fpsuabooster.ru/opencl.dll'
Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@55/23@3/3
Source: C:\Users\user\Desktop\start.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\start.exe.logJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeMutant created: \Sessions\1\BaseNamedObjects\hleamywbcfmcirfvtj
Source: C:\Users\user\AppData\Local\Temp\System23.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8112:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Users\user\Desktop\start.exeMutant created: \Sessions\1\BaseNamedObjects\Vgxw1mdTafPmyxUQ0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\System23.exeMutant created: \Sessions\1\BaseNamedObjects\gwqfglmzuptycegqs
Source: C:\Users\user\Desktop\start.exeFile created: C:\Users\user\AppData\Local\Temp\Aim.exeJump to behavior
Source: start.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: start.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\start.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\start.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: start.exeReversingLabs: Detection: 57%
Source: start.exeVirustotal: Detection: 56%
Source: unknownProcess created: C:\Users\user\Desktop\start.exe "C:\Users\user\Desktop\start.exe"
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Users\user\AppData\Local\Temp\Aim.exe "C:\Users\user\AppData\Local\Temp\Aim.exe"
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Users\user\AppData\Local\Temp\catlavan (4).exe "C:\Users\user\AppData\Local\Temp\catlavan (4).exe"
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System23.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Aim.exe "C:\Users\user\AppData\Local\Temp\Aim.exe"
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Aim.exe "C:\Users\user\AppData\Local\Temp\Aim.exe"
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Users\user\AppData\Local\Temp\System23.exe "C:\Users\user\AppData\Local\Temp\System23.exe"
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "MicrosoftEdgeUpdateMachineCore" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 3 /tn "MicrosoftEdgeUpdateMachineCore" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\System23.exe "C:\Users\user\AppData\Local\Temp\System23.exe"
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\System23.exe "C:\Users\user\AppData\Local\Temp\System23.exe"
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c Shutdown /l /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\shutdown.exe Shutdown /l /f
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3825855 /state1:0x41c64e6d
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa382a855 /state1:0x41c64e6d
Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3832055 /state1:0x41c64e6d
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe'Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Users\user\AppData\Local\Temp\Aim.exe "C:\Users\user\AppData\Local\Temp\Aim.exe" Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Users\user\AppData\Local\Temp\catlavan (4).exe "C:\Users\user\AppData\Local\Temp\catlavan (4).exe" Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System23.exe'Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Users\user\AppData\Local\Temp\System23.exe "C:\Users\user\AppData\Local\Temp\System23.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c Shutdown /l /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "MicrosoftEdgeUpdateMachineCore" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 3 /tn "MicrosoftEdgeUpdateMachineCore" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\shutdown.exe Shutdown /l /f
Source: C:\Users\user\Desktop\start.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\start.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: devenum.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Aim.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: devenum.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: msdmo.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\System23.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\shutdown.exeSection loaded: shutdownext.dll
Source: C:\Windows\System32\shutdown.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.logon.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wincorlib.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dcomp.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xamlhost.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windowmanagementapi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: inputhost.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: propsys.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: languageoverlayutil.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47mrm.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: profapi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: netutils.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d11.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwrite.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.globalization.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: d2d1.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: directmanipulation.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.controls.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: uiautomationcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
Source: C:\Users\user\Desktop\start.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\start.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: start.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: start.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: start.exeStatic file information: File size 29322240 > 1048576
Source: start.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1bf6200
Source: start.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: System23.exe.0.dr, get_Plugins.cs.Net Code: Broadcast System.Reflection.Assembly.Load(byte[])
Source: Aim.exe.0.dr, get_Groups.cs.Net Code: LogError System.Reflection.Assembly.Load(byte[])
Source: Commonuodate.exe.10.dr, get_Groups.cs.Net Code: LogError System.Reflection.Assembly.Load(byte[])
Source: winplay.exe.10.dr, get_Groups.cs.Net Code: LogError System.Reflection.Assembly.Load(byte[])
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
Source: 10.2.Aim.exe.267901e91b0.2.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
Source: 30.2.Aim.exe.23f10088e20.1.raw.unpack, get_Groups.cs.Net Code: LogError System.Reflection.Assembly.Load(byte[])
Source: System23.exe.0.drStatic PE information: 0xEC762775 [Sun Sep 18 06:38:45 2095 UTC]
Source: initial sampleStatic PE information: section where entry point is pointing to: .mtx412
Source: catlavan (4).exe.0.drStatic PE information: section name: .mtx410
Source: catlavan (4).exe.0.drStatic PE information: section name: .mtx411
Source: catlavan (4).exe.0.drStatic PE information: section name: .mtx412
Source: C:\Users\user\Desktop\start.exeCode function: 0_2_00007FFC3DC500BD pushad ; iretd 0_2_00007FFC3DC500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DB2D2A5 pushad ; iretd 2_2_00007FFC3DB2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DC400BD pushad ; iretd 2_2_00007FFC3DC400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DD12316 push 8B485F92h; iretd 2_2_00007FFC3DD1231B
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC308AD push FC3DCB30h; retf 10_2_00007FFC3DC3133A
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC33605 push ecx; retf 10_2_00007FFC3DC3361A
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC314E8 push E85CC1F7h; ret 10_2_00007FFC3DC314F9
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC300BD pushad ; iretd 10_2_00007FFC3DC300C1
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 10_2_00007FFC3DC3043D push E95DB64Eh; ret 10_2_00007FFC3DC30459
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3DB1D2A5 pushad ; iretd 14_2_00007FFC3DB1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3DC300BD pushad ; iretd 14_2_00007FFC3DC300C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC214FA push es; ret 28_2_00007FFC3DC214D6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC208AD push FC3DCA30h; retf FC3Dh28_2_00007FFC3DC2133A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC2147A push es; ret 28_2_00007FFC3DC214D6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC200BD pushad ; iretd 28_2_00007FFC3DC200C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeCode function: 28_2_00007FFC3DC214E7 push E85CC2F7h; ret 28_2_00007FFC3DC214F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC414FA push E85CC0F7h; ret 29_2_00007FFC3DC414F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC4147A push E85CC0F7h; ret 29_2_00007FFC3DC414F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeCode function: 29_2_00007FFC3DC400BD pushad ; iretd 29_2_00007FFC3DC400C1
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC4147A push E85CC0F7h; ret 30_2_00007FFC3DC414F9
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC400BD pushad ; iretd 30_2_00007FFC3DC400C1
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 30_2_00007FFC3DC414FA push E85CC0F7h; ret 30_2_00007FFC3DC414F9
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC100BD pushad ; iretd 31_2_00007FFC3DC100C1
Source: C:\Users\user\AppData\Local\Temp\Aim.exeCode function: 31_2_00007FFC3DC114E8 push E85CC3F7h; ret 31_2_00007FFC3DC114F9
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5C1CD push ds; iretd 32_2_00007FFC3DC5C1EA
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5C118 push ds; iretd 32_2_00007FFC3DC5C11A
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC63534 push edx; iretd 32_2_00007FFC3DC6353A
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC500BD pushad ; iretd 32_2_00007FFC3DC500C1
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC514FA push E85CBFF7h; ret 32_2_00007FFC3DC514F9
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC6347D push ecx; iretd 32_2_00007FFC3DC6349A
Source: C:\Users\user\AppData\Local\Temp\System23.exeCode function: 32_2_00007FFC3DC5043D push E95DB44Eh; ret 32_2_00007FFC3DC50459
Source: C:\Users\user\AppData\Local\Temp\System23.exeFile created: C:\Windows\System32\Wincall.exeJump to dropped file
Source: C:\Users\user\Desktop\start.exeFile created: C:\Users\user\AppData\Local\Temp\System23.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Aim.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeJump to dropped file
Source: C:\Users\user\Desktop\start.exeFile created: C:\Users\user\AppData\Local\Temp\Aim.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Aim.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeJump to dropped file
Source: C:\Users\user\Desktop\start.exeFile created: C:\Users\user\AppData\Local\Temp\catlavan (4).exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\System23.exeFile created: C:\Windows\System32\Wincall.exeJump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Local\Temp\System23.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\start.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AimJump to behavior
Source: C:\Users\user\Desktop\start.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System23Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe"
Source: C:\Users\user\Desktop\start.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AimJump to behavior
Source: C:\Users\user\Desktop\start.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AimJump to behavior
Source: C:\Users\user\Desktop\start.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System23Jump to behavior
Source: C:\Users\user\Desktop\start.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System23Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeMemory written: PID: 7560 base: 7FFCC3890008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeMemory written: PID: 7560 base: 7FFCC372D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeMemory written: PID: 7560 base: 7FFCC38A000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeMemory written: PID: 7560 base: 7FFCC375CBC0 value: E9 5A 34 14 00 Jump to behavior
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 1448
Source: unknownNetwork traffic detected: HTTP traffic on port 1448 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 1448
Source: unknownNetwork traffic detected: HTTP traffic on port 1448 -> 49721
Source: C:\Users\user\AppData\Local\Temp\Aim.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\{S15212246122658369340511724767566341002} C6C70330AEC2F0A565149C93CE8AF808BD898879090DB3F65F07933639039CC7Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Aim.exe, 0000001E.00000002.1529781995.0000023F10007000.00000004.00000800.00020000.00000000.sdmp, Aim.exe, 0000001E.00000002.1549661324.0000023F76D00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: SUIUSSOFTWUIUSSARE\MICUIUSSROSOFT\WINDOWS DEBUTTONFENDER\EXBUTTONCLUSIBUTTONONS\PAUIUSSTHSSTASKMGR.EXE,PROCESSHACKER.EXE,PROCEXP.EXE
Source: System23.exe, 00000025.00000002.1732997410.000001F2E25B7000.00000004.00000800.00020000.00000000.sdmp, System23.exe, 00000025.00000002.1729025242.000001F2D0D60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: SOFUIUSSTWAUIUSSRE\MICROUIUSSSOFT\WINDOWBUTTONS DEFUIUSSENDBUTTONER\EXUIUSSCLUSIBUTTONONS\PATUIUSSHSSTASKMGR.EXE,PROCESSHACKER.EXE,PROCEXP.EXE
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSpecial instruction interceptor: First address: 142B11EE5 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSpecial instruction interceptor: First address: 142B11EF3 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\start.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\start.exeMemory allocated: 1CBF0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeMemory allocated: 267FC430000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeMemory allocated: 267FDE70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeMemory allocated: 2D2B73C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeMemory allocated: 2D2D0CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeMemory allocated: 112853A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeMemory allocated: 1129ED50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Aim.exeMemory allocated: 23F76CE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Aim.exeMemory allocated: 23F78700000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Aim.exeMemory allocated: 1C835F50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Aim.exeMemory allocated: 1C84F7D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\System23.exeMemory allocated: 261D26C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\System23.exeMemory allocated: 261EC060000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeMemory allocated: 272679F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeMemory allocated: 27269420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\System23.exeMemory allocated: 1F2D0AA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\System23.exeMemory allocated: 1F2EA5B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\System23.exeMemory allocated: 1F528610000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\System23.exeMemory allocated: 1F542050000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\start.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeThread delayed: delay time: 10000000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Aim.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Aim.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\System23.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeThread delayed: delay time: 10000000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\System23.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\System23.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6152Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3611Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeWindow / User API: threadDelayed 8449Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeWindow / User API: threadDelayed 802Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6438Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 476Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System23.exeWindow / User API: threadDelayed 9455
Source: C:\Users\user\Desktop\start.exe TID: 7960Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exe TID: 8068Thread sleep count: 8449 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exe TID: 700Thread sleep time: -15679732462653109s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exe TID: 8148Thread sleep count: 802 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3432Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5044Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe TID: 7856Thread sleep count: 300 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe TID: 8136Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe TID: 5052Thread sleep time: -10000000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe TID: 2180Thread sleep count: 199 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe TID: 4508Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Aim.exe TID: 7996Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Aim.exe TID: 5696Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\System23.exe TID: 2992Thread sleep count: 9455 > 30
Source: C:\Users\user\AppData\Local\Temp\System23.exe TID: 4032Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\System23.exe TID: 2992Thread sleep count: 335 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe TID: 748Thread sleep time: -10000000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe TID: 5040Thread sleep count: 200 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe TID: 3996Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\System23.exe TID: 5064Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\System23.exe TID: 4408Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\System23.exe TID: 4936Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\start.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeThread delayed: delay time: 10000000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Aim.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Aim.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\System23.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeThread delayed: delay time: 10000000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\System23.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\System23.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeFile opened: C:\Users\user\
Source: Aim.exe, 0000000A.00000002.2188943278.00000267FDD60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUc
Source: catlavan (4).exe, 0000000C.00000002.2119707325.00000001400B3000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: 8QEmU
Source: catlavan (4).exe, 0000000C.00000002.2118697081.0000000000480000.00000004.00000020.00020000.00000000.sdmp, catlavan (4).exe, 0000000C.00000003.1497485121.0000000000480000.00000004.00000020.00020000.00000000.sdmp, catlavan (4).exe, 0000000C.00000002.2118697081.0000000000436000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: catlavan (4).exe, 0000000C.00000002.2120918257.00000001415C8000.00000020.00000001.01000000.0000000B.sdmp, start.exe, catlavan (4).exe.0.drBinary or memory string: HGfsx
Source: System23.exe, 00000020.00000002.2173905762.00000261EC837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeThread information set: HideFromDebuggerJump to behavior
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeHandle closed: DEADC0DE
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeProcess queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess queried: DebugFlags
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess queried: DebugFlags
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess queried: DebugFlags
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeProcess queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess queried: DebugFlags
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess queried: DebugFlags
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess queried: DebugObjectHandle
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\start.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
.NET source code references suspicious native API functions
Source: System23.exe.0.dr, _Logger_DoWork.csReference to suspicious API methods: VirtualProtect(new IntPtr(num3), 11u, (MemoryProtection)64, ref memoryProtection)
Source: System23.exe.0.dr, writeToConsole.csReference to suspicious API methods: checkCommandMappings(_Logger_DoWork._003CInitialize_003Eb__13_0().Replace(_Logger_DoWork.UnloadPlugin(), _Logger_DoWork.GetPermissions()), _Logger_DoWork._003CAwake_003Eb__12_0().Replace(_Logger_DoWork.ParseString(), _Logger_DoWork.Reload()), typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, NativeMethods.csReference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 10.2.Aim.exe.267fe640000.3.raw.unpack, ResourceReferenceValue.csReference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe'
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System23.exe'
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe'Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System23.exe'Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe'
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQueryInformationProcess: Direct from: 0x142AEF810Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtProtectVirtualMemory: Direct from: 0x1415CE564Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQueryInformationProcess: Direct from: 0x142A88C93Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtProtectVirtualMemory: Indirect: 0x1415A3504Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtProtectVirtualMemory: Direct from: 0x142AA51DEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtProtectVirtualMemory: Direct from: 0x142A19C5BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtMapViewOfSection: Direct from: 0x142A712EDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQuerySystemInformation: Direct from: 0x1418F9018Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtUnmapViewOfSection: Direct from: 0x142A8D486Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtSetInformationThread: Direct from: 0x142A353CCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtProtectVirtualMemory: Direct from: 0x141895E6CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQueryInformationProcess: Direct from: 0x142AE3AFBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQueryInformationProcess: Direct from: 0x142ADA78DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtSetInformationThread: Direct from: 0x142A794A9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQuerySystemInformation: Direct from: 0x142A59BF7Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtProtectVirtualMemory: Direct from: 0x142AF566EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtProtectVirtualMemory: Direct from: 0x142A07943Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtOpenFile: Direct from: 0x142A4E705Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQuerySystemInformation: Direct from: 0x141889500Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtClose: Direct from: 0x142A867DE
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtProtectVirtualMemory: Direct from: 0x142ADEDF8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQuerySystemInformation: Direct from: 0x142AF7C94Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQuerySystemInformation: Direct from: 0x1418996BDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtSetInformationProcess: Direct from: 0x142A37CB2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtQueryInformationProcess: Direct from: 0x142A0359AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\catlavan (4).exeNtProtectVirtualMemory: Direct from: 0x142A3B5AEJump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Aim.exe'Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Users\user\AppData\Local\Temp\Aim.exe "C:\Users\user\AppData\Local\Temp\Aim.exe" Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Users\user\AppData\Local\Temp\catlavan (4).exe "C:\Users\user\AppData\Local\Temp\catlavan (4).exe" Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System23.exe'Jump to behavior
Source: C:\Users\user\Desktop\start.exeProcess created: C:\Users\user\AppData\Local\Temp\System23.exe "C:\Users\user\AppData\Local\Temp\System23.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c Shutdown /l /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 3 /tn "GoogleUpdateMachineUA" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
Source: C:\Users\user\AppData\Local\Temp\System23.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "MicrosoftEdgeUpdateMachineCore" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 3 /tn "MicrosoftEdgeUpdateMachineCore" /tr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\shutdown.exe Shutdown /l /f
Source: Aim.exe, 0000000A.00000002.2118869310.000000D8E3235000.00000004.00000010.00020000.00000000.sdmp, System23.exe, 00000020.00000002.2136002155.00000261D41C5000.00000004.00000800.00020000.00000000.sdmp, System23.exe, 00000020.00000002.2136002155.00000261D4318000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: Aim.exe, 0000000A.00000002.2119874133.0000026780001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerp^
Source: System23.exe, 00000020.00000002.2136002155.00000261D4318000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerXb
Source: System23.exe, 00000020.00000002.2136002155.00000261D4318000.00000004.00000800.00020000.00000000.sdmp, System23.exe, 00000020.00000002.2136002155.00000261D4061000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ### Program Manager ###
Source: System23.exe, 00000020.00000002.2136002155.00000261D41C5000.00000004.00000800.00020000.00000000.sdmp, System23.exe, 00000020.00000002.2136002155.00000261D43F5000.00000004.00000800.00020000.00000000.sdmp, System23.exe, 00000020.00000002.2136002155.00000261D4061000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager }
Source: System23.exe, 00000020.00000002.2136002155.00000261D41C5000.00000004.00000800.00020000.00000000.sdmp, System23.exe, 00000020.00000002.2136002155.00000261D42E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
Source: C:\Users\user\Desktop\start.exeQueries volume information: C:\Users\user\Desktop\start.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Aim.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aim.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\winplay.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Aim.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Aim.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Aim.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Aim.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\System23.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System23.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\System23.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System23.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\System23.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System23.exe VolumeInformation
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Users\user\Desktop\start.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: System23.exe, 00000020.00000002.2178456711.00000261EC89E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s Defender\MsMpeng.exe
Source: System23.exe, 00000020.00000002.2173905762.00000261EC837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\AppData\Local\Temp\Aim.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\Aim.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\Aim.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\Aim.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\System23.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\System23.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
LSASS Driver		1
Abuse Elevation Control Mechanism		11
Disable or Modify Tools		1
Credential API Hooking		2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
LSASS Driver		1
Abuse Elevation Control Mechanism		LSASS Memory113
System Information Discovery		Remote Desktop Protocol1
Credential API Hooking		1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts11
Scheduled Task/Job		11
Scheduled Task/Job		1
DLL Side-Loading		11
Obfuscated Files or Information		Security Account Manager631
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive11
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
PowerShell		21
Registry Run Keys / Startup Folder		12
Process Injection		1
Software Packing		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
Scheduled Task/Job		1
Timestomp		LSA Secrets241
Virtualization/Sandbox Evasion		SSHKeylogging2
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
Registry Run Keys / Startup Folder		1
DLL Side-Loading		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Modify Registry		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt241
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632627 Sample: start.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 100 79 apply-rage.gl.at.ply.gg 2->79 81 northern-tigers.gl.at.ply.gg 2->81 83 3 other IPs or domains 2->83 91 Suricata IDS alerts for network traffic 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus detection for URL or domain 2->95 97 14 other signatures 2->97 9 start.exe 2 5 2->9         started        13 winplay.exe 2->13         started        15 Commonuodate.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 file5 71 C:\Users\user\AppData\...\catlavan (4).exe, PE32+ 9->71 dropped 73 C:\Users\user\AppData\Local\...\System23.exe, PE32 9->73 dropped 75 C:\Users\user\AppData\Local\Temp\Aim.exe, PE32 9->75 dropped 77 C:\Users\user\AppData\Local\...\start.exe.log, CSV 9->77 dropped 113 Creates multiple autostart registry keys 9->113 115 Bypasses PowerShell execution policy 9->115 117 Adds a directory exclusion to Windows Defender 9->117 19 Aim.exe 2 29 9->19         started        24 catlavan (4).exe 15 9->24         started        26 System23.exe 9->26         started        28 2 other processes 9->28 119 Antivirus detection for dropped file 13->119 121 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->121 signatures6 process7 dnsIp8 85 northern-tigers.gl.at.ply.gg 147.185.221.22, 33793, 49720, 49723 SALSGIVERUS United States 19->85 65 C:\Users\user\AppData\Roaming\...\winplay.exe, PE32 19->65 dropped 67 C:\Users\user\AppData\...\Commonuodate.exe, PE32 19->67 dropped 99 Antivirus detection for dropped file 19->99 101 Creates an undocumented autostart registry key 19->101 30 cmd.exe 19->30         started        33 cmd.exe 19->33         started        35 cmd.exe 19->35         started        45 2 other processes 19->45 87 185.17.0.102, 1448, 49721 SUPERSERVERSDATACENTERRU Russian Federation 24->87 103 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->103 105 Query firmware table information (likely to detect VMs) 24->105 107 Tries to detect debuggers (CloseHandle check) 24->107 111 2 other signatures 24->111 37 conhost.exe 24->37         started        89 apply-rage.gl.at.ply.gg 147.185.221.26, 43378, 49722, 49726 SALSGIVERUS United States 26->89 69 C:\Windows\System32\Wincall.exe, PE32 26->69 dropped 39 cmd.exe 26->39         started        109 Loading BitLocker PowerShell Module 28->109 41 conhost.exe 28->41         started        43 conhost.exe 28->43         started        file9 signatures10 process11 signatures12 123 Uses shutdown.exe to shutdown or reboot the system 30->123 125 Uses schtasks.exe or at.exe to add and modify task schedules 30->125 47 conhost.exe 30->47         started        49 schtasks.exe 30->49         started        51 conhost.exe 33->51         started        53 schtasks.exe 33->53         started        55 conhost.exe 35->55         started        57 schtasks.exe 35->57         started        61 2 other processes 39->61 59 conhost.exe 45->59         started        63 3 other processes 45->63 process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.