Windows Analysis Report
Eclf71HXa1.exe

Overview

General Information

Sample name:	Eclf71HXa1.exe renamed because original name is a hash value
Original sample name:	9f478308a636906db8c36e77ce68b4c2.exe
Analysis ID:	1466585
MD5:	9f478308a636906db8c36e77ce68b4c2
SHA1:	369b818537e16c4c038ce0779bb031ba6980db9c
SHA256:	544095b7f34939172ea5bd6544be4c82357921f3153d17ac0e4b1b93dc363de4
Tags:	64exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Excessive usage of taskkill to terminate processes

Potentially malicious time measurement code found

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Eclf71HXa1.exe	ReversingLabs: Detection: 13%
Source: Eclf71HXa1.exe	Virustotal: Detection: 28%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1249 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,memcpy,	2_2_00007FFE004C1249
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D40B0 CRYPTO_clear_free,	2_2_00007FFE004D40B0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B9F CRYPTO_free,CRYPTO_malloc,	2_2_00007FFE004C1B9F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00512110 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,memcpy,memcpy,	2_2_00007FFE00512110
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E97 memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,CRYPTO_memcmp,	2_2_00007FFE004C1E97
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1EA1 CRYPTO_strdup,CRYPTO_free,	2_2_00007FFE004C1EA1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B0E memset,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp,	2_2_00007FFE004C1B0E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1F5F CRYPTO_strdup,	2_2_00007FFE004C1F5F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C20FB CRYPTO_malloc,	2_2_00007FFE004C20FB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EC0F0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	2_2_00007FFE004EC0F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE005081AE CRYPTO_free,CRYPTO_free,	2_2_00007FFE005081AE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050A190 EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	2_2_00007FFE0050A190
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C19E7 CRYPTO_malloc,ERR_put_error,CRYPTO_free,	2_2_00007FFE004C19E7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C19B5 CRYPTO_malloc,	2_2_00007FFE004C19B5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1C1C EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,	2_2_00007FFE004C1C1C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2130 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	2_2_00007FFE004C2130
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EC290 CRYPTO_free,CRYPTO_free,	2_2_00007FFE004EC290
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2239 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	2_2_00007FFE004C2239
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE005263A0 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFE005263A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EC380 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	2_2_00007FFE004EC380
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C4407 CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	2_2_00007FFE004C4407
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D8430 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	2_2_00007FFE004D8430
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C18CA CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C18CA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C150F CRYPTO_free,	2_2_00007FFE004C150F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1357 memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C1357
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C24F5 CRYPTO_free,	2_2_00007FFE004C24F5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DA530 CRYPTO_THREAD_run_once,	2_2_00007FFE004DA530
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1EEC EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,EVP_PKEY_id,CRYPTO_malloc,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	2_2_00007FFE004C1EEC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E44C0 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFE004E44C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1230 memcpy,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,memcmp,_time64,	2_2_00007FFE004C1230
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EC540 ERR_put_error,ERR_put_error,ERR_put_error,EVP_MD_size,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_malloc,ERR_put_error,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,ERR_put_error,EVP_PKEY_free,X509_get0_pubkey,X509_free,OPENSSL_sk_push,ERR_put_error,X509_free,ERR_put_error,	2_2_00007FFE004EC540
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C8560 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFE004C8560
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C8610 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,	2_2_00007FFE004C8610
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C4630 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,	2_2_00007FFE004C4630
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F2620 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FFE004F2620
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050A5D0 memset,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FFE0050A5D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C17B2 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FFE004C17B2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1F82 CRYPTO_free,BIO_clear_flags,BIO_set_flags,BIO_snprintf,ERR_add_error_data,memcpy,	2_2_00007FFE004C1F82
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1FA0 BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free,	2_2_00007FFE004C1FA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C22C5 ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C22C5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DC710 CRYPTO_get_ex_new_index,	2_2_00007FFE004DC710
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6700 CRYPTO_free,	2_2_00007FFE004F6700
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C184D CRYPTO_free,	2_2_00007FFE004C184D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00510740 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE00510740
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6770 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,	2_2_00007FFE004F6770
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DC770 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004DC770
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1D9D CONF_parse_list,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C1D9D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE005107E0 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	2_2_00007FFE005107E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1726 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE004C1726
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051E910 EVP_PKEY_CTX_new,X509_get0_pubkey,ERR_clear_error,EVP_PKEY_decrypt,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_free,	2_2_00007FFE0051E910
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C252C CRYPTO_malloc,ERR_put_error,BIO_snprintf,	2_2_00007FFE004C252C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B40 CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,	2_2_00007FFE004C1B40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1BEF ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,OPENSSL_LH_new,OPENSSL_sk_num,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_priv_bytes,RAND_priv_bytes,RAND_priv_bytes,	2_2_00007FFE004C1BEF
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050A940 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FFE0050A940
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050CA20 CRYPTO_free,CRYPTO_free,	2_2_00007FFE0050CA20
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B54 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFE004C1B54
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F89D0 EVP_MD_size,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,BIO_ctrl,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,	2_2_00007FFE004F89D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CEA80 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,	2_2_00007FFE004CEA80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2063 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FFE004C2063
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DEA40 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_flags,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,	2_2_00007FFE004DEA40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00506A70 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE00506A70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FEA60 CRYPTO_realloc,	2_2_00007FFE004FEA60
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C23D3 CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup,	2_2_00007FFE004C23D3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F4AD0 CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	2_2_00007FFE004F4AD0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00520AF0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE00520AF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C8AF0 CRYPTO_free,	2_2_00007FFE004C8AF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C24BE CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C24BE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051CBB0 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,CRYPTO_memcmp,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE0051CBB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1848 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FFE004C1848
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F2BA0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	2_2_00007FFE004F2BA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D6B53 CRYPTO_free,CRYPTO_strdup,ERR_put_error,ERR_put_error,	2_2_00007FFE004D6B53
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1253 CRYPTO_free,	2_2_00007FFE004C1253
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051EC80 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,	2_2_00007FFE0051EC80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FECA0 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004FECA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D6C53 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004D6C53
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6C50 CRYPTO_free,	2_2_00007FFE004F6C50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C23C4 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C23C4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C18B6 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FFE004C18B6
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00506D00 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE00506D00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C212B EVP_MD_CTX_new,EVP_MD_CTX_copy_ex,CRYPTO_memcmp,memcpy,memcpy,	2_2_00007FFE004C212B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050ACC0 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE0050ACC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6CF0 CRYPTO_free,CRYPTO_free,	2_2_00007FFE004F6CF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C191A ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,BIO_up_ref,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	2_2_00007FFE004C191A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C179E CRYPTO_free,	2_2_00007FFE004C179E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00512DB0 CRYPTO_malloc,memcpy,	2_2_00007FFE00512DB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1028 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free,	2_2_00007FFE004C1028
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E8D80 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FFE004E8D80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2301 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C2301
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004ECD70 CRYPTO_malloc,CRYPTO_clear_free,	2_2_00007FFE004ECD70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C8E00 CRYPTO_malloc,ERR_put_error,	2_2_00007FFE004C8E00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051AEB0 CRYPTO_memcmp,	2_2_00007FFE0051AEB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6EB0 CRYPTO_free,	2_2_00007FFE004F6EB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6E40 CRYPTO_free,	2_2_00007FFE004F6E40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0052AE40 memset,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FFE0052AE40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C141F EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFE004C141F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00526F30 CRYPTO_free,CRYPTO_malloc,ERR_put_error,	2_2_00007FFE00526F30
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00510F00 CRYPTO_free,	2_2_00007FFE00510F00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C18C0 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004C18C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1A05 EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc,	2_2_00007FFE004C1A05
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051EF80 EVP_PKEY_get0_RSA,RSA_size,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free,	2_2_00007FFE0051EF80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C242D CRYPTO_free,CRYPTO_memdup,ERR_put_error,	2_2_00007FFE004C242D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2275 CRYPTO_free,	2_2_00007FFE004C2275
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C9020 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFE004C9020
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E2FD0 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	2_2_00007FFE004E2FD0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E8FE0 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,	2_2_00007FFE004E8FE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1ACD CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFE004C1ACD
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2496 CRYPTO_free,CRYPTO_malloc,memcpy,	2_2_00007FFE004C2496
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D9040 ERR_put_error,ASN1_item_free,memcpy,_time64,X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free,	2_2_00007FFE004D9040
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EF0E0 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFE004EF0E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1AFF CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,	2_2_00007FFE004C1AFF
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F7150 CRYPTO_free,	2_2_00007FFE004F7150
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1F55 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C1F55
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1C3A X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FFE004C1C3A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C165E CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C165E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D7290 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,	2_2_00007FFE004D7290
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C10A5 CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	2_2_00007FFE004C10A5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1C03 CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004C1C03
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1005 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	2_2_00007FFE004C1005
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2176 EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FFE004C2176
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2144 CRYPTO_free,CRYPTO_malloc,RAND_bytes,	2_2_00007FFE004C2144
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1D7F BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004C1D7F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DD3E0 CRYPTO_THREAD_run_once,	2_2_00007FFE004DD3E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C207C CRYPTO_free,_time64,CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,	2_2_00007FFE004C207C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051F4A0 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE0051F4A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1690 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FFE004C1690
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1681 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C1681
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1AB9 CONF_parse_list,CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C1AB9
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00503440 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_size,	2_2_00007FFE00503440
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C186B CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C186B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E546A CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FFE004E546A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C9510 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FFE004C9510
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FF4D0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004FF4D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C101E EVP_PKEY_free,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FFE004C101E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C125D BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFE004C125D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F9570 CRYPTO_memcmp,	2_2_00007FFE004F9570
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C12E4 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C12E4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C20DB CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	2_2_00007FFE004C20DB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C24B9 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_memcmp,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,	2_2_00007FFE004C24B9
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050F640 CRYPTO_free,CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE0050F640
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00517720 CRYPTO_memcmp,	2_2_00007FFE00517720
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DF6F0 CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	2_2_00007FFE004DF6F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0052B7A0 SRP_Calc_u,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,CRYPTO_clear_free,BN_clear_free,	2_2_00007FFE0052B7A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E1790 CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004E1790
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FF7A0 CRYPTO_free,CRYPTO_free,	2_2_00007FFE004FF7A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C9770 CRYPTO_malloc,ERR_put_error,CRYPTO_free,	2_2_00007FFE004C9770
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F9810 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004F9810
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1505 CRYPTO_free,CRYPTO_malloc,ERR_put_error,memcpy,	2_2_00007FFE004C1505
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1F0F CRYPTO_free,CRYPTO_malloc,memcpy,	2_2_00007FFE004C1F0F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE005078A7 CRYPTO_clear_free,	2_2_00007FFE005078A7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E3900 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004E3900
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1104 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFE004C1104
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C22B1 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004C22B1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00511960 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,	2_2_00007FFE00511960
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C16E0 CRYPTO_zalloc,	2_2_00007FFE004C16E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DD940 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	2_2_00007FFE004DD940
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DF960 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	2_2_00007FFE004DF960
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F9A30 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFE004F9A30
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DDA30 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	2_2_00007FFE004DDA30
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1CC6 CRYPTO_malloc,COMP_expand_block,	2_2_00007FFE004C1CC6
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FFA50 CRYPTO_memcmp,	2_2_00007FFE004FFA50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1D43 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,	2_2_00007FFE004C1D43
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C17CB CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FFE004C17CB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C16B3 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free,	2_2_00007FFE004C16B3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00517AE0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE00517AE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C21AD memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FFE004C21AD
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1EF1 CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,	2_2_00007FFE004C1EF1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C109B CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,	2_2_00007FFE004C109B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C7BA0 CRYPTO_free,	2_2_00007FFE004C7BA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DBB70 CRYPTO_zalloc,ERR_put_error,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,	2_2_00007FFE004DBB70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D9B70 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE004D9B70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDBE0 CRYPTO_free,	2_2_00007FFE004CDBE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C22F7 CRYPTO_free,	2_2_00007FFE004C22F7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDC90 CRYPTO_free,	2_2_00007FFE004CDC90
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F3C80 OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FFE004F3C80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DDC70 CRYPTO_THREAD_run_once,	2_2_00007FFE004DDC70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00517D00 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE00517D00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E4C CRYPTO_clear_free,	2_2_00007FFE004C1E4C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C17D0 CRYPTO_malloc,memcpy,	2_2_00007FFE004C17D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C7CF0 CRYPTO_free,	2_2_00007FFE004C7CF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDCF0 CRYPTO_free,	2_2_00007FFE004CDCF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00519CDC CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE00519CDC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FFD80 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004FFD80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CFDB0 EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,strncmp,strncmp,strncmp,strncmp,strncmp,	2_2_00007FFE004CFDB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDDA0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,	2_2_00007FFE004CDDA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E5D50 ERR_put_error,CRYPTO_free,ERR_put_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	2_2_00007FFE004E5D50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D7D40 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004D7D40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F7DD0 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FFE004F7DD0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C7DF0 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFE004C7DF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E56 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free,	2_2_00007FFE004C1E56
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1CD5 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C1CD5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F3E40 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,	2_2_00007FFE004F3E40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D5E70 CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004D5E70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00507E6F CRYPTO_malloc,	2_2_00007FFE00507E6F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B8B CRYPTO_free,CRYPTO_malloc,	2_2_00007FFE004C1B8B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1208 CRYPTO_zalloc,memcpy,memcpy,memcpy,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C1208
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050BEF0 EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE0050BEF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1AB4 CRYPTO_free,	2_2_00007FFE004C1AB4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D5FAA CRYPTO_free,	2_2_00007FFE004D5FAA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C7F50 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFE004C7F50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FFF70 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE004FFF70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C15C8 EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,DH_free,EVP_PKEY_security_bits,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FFE004C15C8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E2010 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FFE004E2010
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C210D HMAC_CTX_new,EVP_CIPHER_CTX_new,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,	2_2_00007FFE004C210D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2243 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	2_2_00007FFE004C2243
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C402B BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_clear_flags,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	2_2_00007FFE004C402B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C9FC0 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C9FC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00517FC0 CRYPTO_malloc,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,	2_2_00007FFE00517FC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00509FC0 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,	2_2_00007FFE00509FC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C14FB CRYPTO_free,CRYPTO_memdup,ERR_put_error,	2_2_00007FFE004C14FB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D7FE0 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FFE004D7FE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDFE0 CRYPTO_malloc,	2_2_00007FFE004CDFE0

Source: Eclf71HXa1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905401585.00007FFE11EBE000.00000002.00000001.01000000.0000000A.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905252984.00007FFE1030D000.00000002.00000001.01000000.0000000E.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905507486.00007FFE11ED9000.00000002.00000001.01000000.00000008.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905828042.00007FFE12E15000.00000002.00000001.01000000.0000000C.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: .PdB] source: Eclf71HXa1.exe
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904573844.00007FFDFB76D000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905927859.00007FFE130C3000.00000002.00000001.01000000.00000009.sdmp, select.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905609905.00007FFE126D1000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117976F0 FindFirstFileExW,FindClose,	0_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117976F0 FindFirstFileExW,FindClose,	2_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,	2_2_00007FFDFB134462

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 77.221.149.185:5988

Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185

Source: Eclf71HXa1.exe, 00000002.00000002.2903163468.000002492F0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org/techtonik/python-pager
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EF50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org/techtonik/python-wget/
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Eclf71HXa1.exe, 00000002.00000002.2903096268.000002492F0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://greenbytes.de/tech/tc2231/
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EF50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pypi.python.org/pypi/wget/
Source: python38.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670602074.000002492EFF8000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/
Source: Eclf71HXa1.exe, 00000000.00000003.1661863248.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2903203946.000002492F120000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: Eclf71HXa1.exe, 00000002.00000002.2903096268.000002492F0A0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Eclf71HXa1.exe, 00000002.00000002.2902566713.000002492EB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670602074.000002492EFF8000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H

Too many similar processes found

Source: cmd.exe

Process created: 213

Detected potential crypto function

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B6A4C	0_2_00007FF6117B6A4C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B06D4	0_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A12C0	0_2_00007FF6117A12C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A32F0	0_2_00007FF6117A32F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B5B00	0_2_00007FF6117B5B00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A9AA0	0_2_00007FF6117A9AA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A01CC	0_2_00007FF6117A01CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B3A10	0_2_00007FF6117B3A10
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A2A28	0_2_00007FF6117A2A28
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B06D4	0_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B6500	0_2_00007FF6117B6500
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF611797C70	0_2_00007FF611797C70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A7C98	0_2_00007FF6117A7C98
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117AE3B8	0_2_00007FF6117AE3B8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179FBB8	0_2_00007FF61179FBB8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A03D8	0_2_00007FF6117A03D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A8350	0_2_00007FF6117A8350
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A5B50	0_2_00007FF6117A5B50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A1658	0_2_00007FF6117A1658
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B1674	0_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B3EAC	0_2_00007FF6117B3EAC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179FDBC	0_2_00007FF61179FDBC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A05DC	0_2_00007FF6117A05DC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A25F0	0_2_00007FF6117A25F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A2E2C	0_2_00007FF6117A2E2C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117ADD38	0_2_00007FF6117ADD38
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B5D7C	0_2_00007FF6117B5D7C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117988EB	0_2_00007FF6117988EB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179911D	0_2_00007FF61179911D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117AD8A4	0_2_00007FF6117AD8A4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179FFC8	0_2_00007FF61179FFC8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B9808	0_2_00007FF6117B9808
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179874B	0_2_00007FF61179874B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B6A4C	2_2_00007FF6117B6A4C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A12C0	2_2_00007FF6117A12C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A32F0	2_2_00007FF6117A32F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B5B00	2_2_00007FF6117B5B00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A9AA0	2_2_00007FF6117A9AA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A01CC	2_2_00007FF6117A01CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B3A10	2_2_00007FF6117B3A10
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A2A28	2_2_00007FF6117A2A28
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B06D4	2_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B6500	2_2_00007FF6117B6500
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF611797C70	2_2_00007FF611797C70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A7C98	2_2_00007FF6117A7C98
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117AE3B8	2_2_00007FF6117AE3B8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179FBB8	2_2_00007FF61179FBB8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A03D8	2_2_00007FF6117A03D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A8350	2_2_00007FF6117A8350
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A5B50	2_2_00007FF6117A5B50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B06D4	2_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A1658	2_2_00007FF6117A1658
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B1674	2_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B3EAC	2_2_00007FF6117B3EAC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179FDBC	2_2_00007FF61179FDBC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A05DC	2_2_00007FF6117A05DC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A25F0	2_2_00007FF6117A25F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A2E2C	2_2_00007FF6117A2E2C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117ADD38	2_2_00007FF6117ADD38
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B5D7C	2_2_00007FF6117B5D7C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117988EB	2_2_00007FF6117988EB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179911D	2_2_00007FF61179911D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117AD8A4	2_2_00007FF6117AD8A4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179FFC8	2_2_00007FF61179FFC8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B9808	2_2_00007FF6117B9808
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179874B	2_2_00007FF61179874B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB26FB70	2_2_00007FFDFB26FB70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1312C1	2_2_00007FFDFB1312C1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB363B80	2_2_00007FFDFB363B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134025	2_2_00007FFDFB134025
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2CBA70	2_2_00007FFDFB2CBA70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB19FB00	2_2_00007FFDFB19FB00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13385F	2_2_00007FFDFB13385F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134B24	2_2_00007FFDFB134B24
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133C1A	2_2_00007FFDFB133C1A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132504	2_2_00007FFDFB132504
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132BC6	2_2_00007FFDFB132BC6
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13513C	2_2_00007FFDFB13513C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2DFF80	2_2_00007FFDFB2DFF80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB25BFA0	2_2_00007FFDFB25BFA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2C7E70	2_2_00007FFDFB2C7E70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB137194	2_2_00007FFDFB137194
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13135C	2_2_00007FFDFB13135C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14BF20	2_2_00007FFDFB14BF20
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14BD60	2_2_00007FFDFB14BD60
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13200E	2_2_00007FFDFB13200E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131B95	2_2_00007FFDFB131B95
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1348CC	2_2_00007FFDFB1348CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132A27	2_2_00007FFDFB132A27
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14F200	2_2_00007FFDFB14F200
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134B74	2_2_00007FFDFB134B74
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135227	2_2_00007FFDFB135227
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132513	2_2_00007FFDFB132513
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14F060	2_2_00007FFDFB14F060
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133EB3	2_2_00007FFDFB133EB3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131B72	2_2_00007FFDFB131B72
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131889	2_2_00007FFDFB131889
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1311DB	2_2_00007FFDFB1311DB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13282E	2_2_00007FFDFB13282E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB15B850	2_2_00007FFDFB15B850
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133DBE	2_2_00007FFDFB133DBE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134651	2_2_00007FFDFB134651
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB25B600	2_2_00007FFDFB25B600
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB15B4C0	2_2_00007FFDFB15B4C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2C74F0	2_2_00007FFDFB2C74F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135B91	2_2_00007FFDFB135B91
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136717	2_2_00007FFDFB136717
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1360D7	2_2_00007FFDFB1360D7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133EA4	2_2_00007FFDFB133EA4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1312A8	2_2_00007FFDFB1312A8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135204	2_2_00007FFDFB135204
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1369F6	2_2_00007FFDFB1369F6
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131AE1	2_2_00007FFDFB131AE1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131EB0	2_2_00007FFDFB131EB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB21A870	2_2_00007FFDFB21A870
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13105F	2_2_00007FFDFB13105F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131F73	2_2_00007FFDFB131F73
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2CA910	2_2_00007FFDFB2CA910
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136596	2_2_00007FFDFB136596
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132112	2_2_00007FFDFB132112
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1351D7	2_2_00007FFDFB1351D7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132671	2_2_00007FFDFB132671
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB25EE80	2_2_00007FFDFB25EE80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14EF00	2_2_00007FFDFB14EF00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1360DC	2_2_00007FFDFB1360DC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1334AE	2_2_00007FFDFB1334AE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB26EDB0	2_2_00007FFDFB26EDB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131BC7	2_2_00007FFDFB131BC7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1324AA	2_2_00007FFDFB1324AA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB212410	2_2_00007FFDFB212410
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136915	2_2_00007FFDFB136915
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134DA4	2_2_00007FFDFB134DA4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133099	2_2_00007FFDFB133099
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132D60	2_2_00007FFDFB132D60
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134421	2_2_00007FFDFB134421
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1319D8	2_2_00007FFDFB1319D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136000	2_2_00007FFDFB136000
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13258B	2_2_00007FFDFB13258B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB266710	2_2_00007FFDFB266710
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134129	2_2_00007FFDFB134129
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132B2B	2_2_00007FFDFB132B2B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13654B	2_2_00007FFDFB13654B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134E7B	2_2_00007FFDFB134E7B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136BA4	2_2_00007FFDFB136BA4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132E0A	2_2_00007FFDFB132E0A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134B9C	2_2_00007FFDFB134B9C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13227A	2_2_00007FFDFB13227A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB269AF0	2_2_00007FFDFB269AF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13488B	2_2_00007FFDFB13488B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1335DA	2_2_00007FFDFB1335DA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13375B	2_2_00007FFDFB13375B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132F2C	2_2_00007FFDFB132F2C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132342	2_2_00007FFDFB132342
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132428	2_2_00007FFDFB132428
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1336D4	2_2_00007FFDFB1336D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1337E7	2_2_00007FFDFB1337E7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB265F00	2_2_00007FFDFB265F00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1351D2	2_2_00007FFDFB1351D2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13591B	2_2_00007FFDFB13591B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136230	2_2_00007FFDFB136230
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2E1E40	2_2_00007FFDFB2E1E40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132A90	2_2_00007FFDFB132A90
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14D260	2_2_00007FFDFB14D260
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1371C1	2_2_00007FFDFB1371C1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131C21	2_2_00007FFDFB131C21
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1345BB	2_2_00007FFDFB1345BB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133094	2_2_00007FFDFB133094
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB261320	2_2_00007FFDFB261320
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB155200	2_2_00007FFDFB155200
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131AEB	2_2_00007FFDFB131AEB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134999	2_2_00007FFDFB134999
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13731A	2_2_00007FFDFB13731A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133BF7	2_2_00007FFDFB133BF7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2E1690	2_2_00007FFDFB2E1690
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132761	2_2_00007FFDFB132761
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1311CC	2_2_00007FFDFB1311CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132E32	2_2_00007FFDFB132E32
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131839	2_2_00007FFDFB131839
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135BBE	2_2_00007FFDFB135BBE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133EE0	2_2_00007FFDFB133EE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1324A5	2_2_00007FFDFB1324A5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133E1D	2_2_00007FFDFB133E1D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13651E	2_2_00007FFDFB13651E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133206	2_2_00007FFDFB133206
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1362DA	2_2_00007FFDFB1362DA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2CC990	2_2_00007FFDFB2CC990
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136E7E	2_2_00007FFDFB136E7E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133DC8	2_2_00007FFDFB133DC8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136415	2_2_00007FFDFB136415
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB264A40	2_2_00007FFDFB264A40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135CF4	2_2_00007FFDFB135CF4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134DEA	2_2_00007FFDFB134DEA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135015	2_2_00007FFDFB135015
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132932	2_2_00007FFDFB132932
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135880	2_2_00007FFDFB135880
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134520	2_2_00007FFDFB134520
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135FEC	2_2_00007FFDFB135FEC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133738	2_2_00007FFDFB133738
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13400C	2_2_00007FFDFB13400C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132987	2_2_00007FFDFB132987
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131041	2_2_00007FFDFB131041
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131E79	2_2_00007FFDFB131E79
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB264D50	2_2_00007FFDFB264D50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136087	2_2_00007FFDFB136087
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13111D	2_2_00007FFDFB13111D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133805	2_2_00007FFDFB133805
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB137036	2_2_00007FFDFB137036
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1E0260	2_2_00007FFDFB1E0260
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133968	2_2_00007FFDFB133968
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13571D	2_2_00007FFDFB13571D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB270170	2_2_00007FFDFB270170
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132BF3	2_2_00007FFDFB132BF3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1371B2	2_2_00007FFDFB1371B2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13627B	2_2_00007FFDFB13627B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1366C2	2_2_00007FFDFB1366C2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132C52	2_2_00007FFDFB132C52
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133134	2_2_00007FFDFB133134
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1317E4	2_2_00007FFDFB1317E4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132EAF	2_2_00007FFDFB132EAF
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB137338	2_2_00007FFDFB137338
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132ABD	2_2_00007FFDFB132ABD
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14C620	2_2_00007FFDFB14C620
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14C480	2_2_00007FFDFB14C480
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1312EE	2_2_00007FFDFB1312EE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E6F	2_2_00007FFE004C1E6F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1357	2_2_00007FFE004C1357
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2478	2_2_00007FFE004C2478
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F2620	2_2_00007FFE004F2620
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D2910	2_2_00007FFE004D2910
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F89D0	2_2_00007FFE004F89D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C191F	2_2_00007FFE004C191F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C6D00	2_2_00007FFE004C6D00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C12B2	2_2_00007FFE004C12B2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0052CDB4	2_2_00007FFE0052CDB4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051EF80	2_2_00007FFE0051EF80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1BB3	2_2_00007FFE004C1BB3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DEFC0	2_2_00007FFE004DEFC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E6A	2_2_00007FFE004C1E6A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CB4F0	2_2_00007FFE004CB4F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D5540	2_2_00007FFE004D5540
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C12E4	2_2_00007FFE004C12E4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CF695	2_2_00007FFE004CF695
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C24B9	2_2_00007FFE004C24B9
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C23DD	2_2_00007FFE004C23DD
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1BF9	2_2_00007FFE004C1BF9
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CFDB0	2_2_00007FFE004CFDB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C15C8	2_2_00007FFE004C15C8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C210D	2_2_00007FFE004C210D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10257210	2_2_00007FFE10257210
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10246350	2_2_00007FFE10246350
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE102343F0	2_2_00007FFE102343F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE1023EBE0	2_2_00007FFE1023EBE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10246610	2_2_00007FFE10246610
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10241F11	2_2_00007FFE10241F11

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFE0052BE25 appears 103 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FF611791DB0 appears 36 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB131055 appears 1557 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB134688 appears 138 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FF611791DF0 appears 110 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB131FC3 appears 55 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB135DDA appears 737 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFE0052BD8F appears 195 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFE004C1023 appears 578 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB13206D appears 82 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB131FFF appears 31 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB131C08 appears 121 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB1341F6 appears 47 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB1340F7 appears 384 times

Sample file is different than original file name gathered from version info

Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ha vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe	Binary or memory string: OriginalFilename vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905337272.00007FFE1031C000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905655183.00007FFE126DC000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905869845.00007FFE12E1A000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905442920.00007FFE11EC4000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905546571.00007FFE11EE3000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905761700.00007FFE126F3000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905965685.00007FFE130C6000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2904817443.00007FFDFB87F000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs Eclf71HXa1.exe

Source: classification engine

Classification label: mal60.evad.winEXE@453/15@0/1

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF611791ED0 GetLastError,FormatMessageW,

0_2_00007FF611791ED0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1868:120:WilError_03

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI62802

Jump to behavior

Source: Eclf71HXa1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Eclf71HXa1.exe	ReversingLabs: Detection: 13%
Source: Eclf71HXa1.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

File read: C:\Users\user\Desktop\Eclf71HXa1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Eclf71HXa1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Eclf71HXa1.exe

Static file information: File size 5424070 > 1048576

Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Eclf71HXa1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Eclf71HXa1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905401585.00007FFE11EBE000.00000002.00000001.01000000.0000000A.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905252984.00007FFE1030D000.00000002.00000001.01000000.0000000E.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905507486.00007FFE11ED9000.00000002.00000001.01000000.00000008.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905828042.00007FFE12E15000.00000002.00000001.01000000.0000000C.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: .PdB] source: Eclf71HXa1.exe
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904573844.00007FFDFB76D000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905927859.00007FFE130C3000.00000002.00000001.01000000.00000009.sdmp, select.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905609905.00007FFE126D1000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr

Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DCD2C push rbp; retf 0001h	2_2_00007FFE004DCD2D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DCD28 pushfq ; retf 0001h	2_2_00007FFE004DCD29
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00505561 push rcx; ret	2_2_00007FFE00505562
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E3C39 push 28C48348h; ret	2_2_00007FFE004E3C47

Drops PE files

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF6117942E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF6117942E0

Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 2_2_00007FFDFB1363AC rdtsc

2_2_00007FFDFB1363AC

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

API coverage: 0.6 %

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117976F0 FindFirstFileExW,FindClose,	0_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117976F0 FindFirstFileExW,FindClose,	2_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,	2_2_00007FFDFB134462

Source: Eclf71HXa1.exe, 00000002.00000003.1670073391.000002492CE9C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEBF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1363AC		2_2_00007FFDFB1363AC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1364EC		2_2_00007FFDFB1364EC

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 2_2_00007FFDFB1363AC rdtsc

2_2_00007FFDFB1363AC

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF6117AA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6117AA1D8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF6117B3280 GetProcessHeap,

0_2_00007FF6117B3280

Enables debug privileges

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117AA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6117AA1D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179AD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF61179AD00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179B59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF61179B59C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179B740 SetUnhandledExceptionFilter,	0_2_00007FF61179B740
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117AA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6117AA1D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179AD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF61179AD00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179B59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF61179B59C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179B740 SetUnhandledExceptionFilter,	2_2_00007FF61179B740
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134FDE __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFDFB134FDE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1D66 __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE004C1D66
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE1023411C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE1023411C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10234304 SetUnhandledExceptionFilter,	2_2_00007FFE10234304
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE102336D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE102336D8

HIPS / PFW / Operating System Protection Evasion

Excessive usage of taskkill to terminate processes

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe

Uses taskkill to terminate processes

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF6117B9650 cpuid

0_2_00007FF6117B9650

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF61179B480 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF61179B480

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF6117B5B00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6117B5B00

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 2_2_00007FFDFB135DA3 bind,WSAGetLastError,

2_2_00007FFDFB135DA3

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.221.149.185	unknown	Russian Federation		30968	INFOBOX-ASInfoboxruAutonomousSystemRU	false

AV Detection

Multi AV Scanner detection for submitted file

Source: Eclf71HXa1.exe	ReversingLabs: Detection: 13%
Source: Eclf71HXa1.exe	Virustotal: Detection: 28%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1249 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,memcpy,	2_2_00007FFE004C1249
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D40B0 CRYPTO_clear_free,	2_2_00007FFE004D40B0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B9F CRYPTO_free,CRYPTO_malloc,	2_2_00007FFE004C1B9F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00512110 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,memcpy,memcpy,	2_2_00007FFE00512110
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E97 memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,CRYPTO_memcmp,	2_2_00007FFE004C1E97
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1EA1 CRYPTO_strdup,CRYPTO_free,	2_2_00007FFE004C1EA1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B0E memset,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp,	2_2_00007FFE004C1B0E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1F5F CRYPTO_strdup,	2_2_00007FFE004C1F5F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C20FB CRYPTO_malloc,	2_2_00007FFE004C20FB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EC0F0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	2_2_00007FFE004EC0F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE005081AE CRYPTO_free,CRYPTO_free,	2_2_00007FFE005081AE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050A190 EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	2_2_00007FFE0050A190
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C19E7 CRYPTO_malloc,ERR_put_error,CRYPTO_free,	2_2_00007FFE004C19E7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C19B5 CRYPTO_malloc,	2_2_00007FFE004C19B5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1C1C EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,	2_2_00007FFE004C1C1C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2130 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	2_2_00007FFE004C2130
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EC290 CRYPTO_free,CRYPTO_free,	2_2_00007FFE004EC290
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2239 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	2_2_00007FFE004C2239
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE005263A0 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFE005263A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EC380 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	2_2_00007FFE004EC380
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C4407 CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	2_2_00007FFE004C4407
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D8430 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	2_2_00007FFE004D8430
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C18CA CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C18CA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C150F CRYPTO_free,	2_2_00007FFE004C150F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1357 memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C1357
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C24F5 CRYPTO_free,	2_2_00007FFE004C24F5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DA530 CRYPTO_THREAD_run_once,	2_2_00007FFE004DA530
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1EEC EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,EVP_PKEY_id,CRYPTO_malloc,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	2_2_00007FFE004C1EEC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E44C0 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFE004E44C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1230 memcpy,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,memcmp,_time64,	2_2_00007FFE004C1230
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EC540 ERR_put_error,ERR_put_error,ERR_put_error,EVP_MD_size,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_malloc,ERR_put_error,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,ERR_put_error,EVP_PKEY_free,X509_get0_pubkey,X509_free,OPENSSL_sk_push,ERR_put_error,X509_free,ERR_put_error,	2_2_00007FFE004EC540
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C8560 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFE004C8560
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C8610 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,	2_2_00007FFE004C8610
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C4630 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,	2_2_00007FFE004C4630
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F2620 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FFE004F2620
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050A5D0 memset,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FFE0050A5D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C17B2 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FFE004C17B2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1F82 CRYPTO_free,BIO_clear_flags,BIO_set_flags,BIO_snprintf,ERR_add_error_data,memcpy,	2_2_00007FFE004C1F82
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1FA0 BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free,	2_2_00007FFE004C1FA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C22C5 ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C22C5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DC710 CRYPTO_get_ex_new_index,	2_2_00007FFE004DC710
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6700 CRYPTO_free,	2_2_00007FFE004F6700
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C184D CRYPTO_free,	2_2_00007FFE004C184D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00510740 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE00510740
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6770 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,	2_2_00007FFE004F6770
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DC770 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004DC770
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1D9D CONF_parse_list,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C1D9D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE005107E0 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	2_2_00007FFE005107E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1726 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE004C1726
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051E910 EVP_PKEY_CTX_new,X509_get0_pubkey,ERR_clear_error,EVP_PKEY_decrypt,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_free,	2_2_00007FFE0051E910
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C252C CRYPTO_malloc,ERR_put_error,BIO_snprintf,	2_2_00007FFE004C252C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B40 CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,	2_2_00007FFE004C1B40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1BEF ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,OPENSSL_LH_new,OPENSSL_sk_num,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_priv_bytes,RAND_priv_bytes,RAND_priv_bytes,	2_2_00007FFE004C1BEF
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050A940 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FFE0050A940
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050CA20 CRYPTO_free,CRYPTO_free,	2_2_00007FFE0050CA20
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B54 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFE004C1B54
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F89D0 EVP_MD_size,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,BIO_ctrl,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,	2_2_00007FFE004F89D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CEA80 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,	2_2_00007FFE004CEA80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2063 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FFE004C2063
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DEA40 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_flags,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,	2_2_00007FFE004DEA40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00506A70 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE00506A70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FEA60 CRYPTO_realloc,	2_2_00007FFE004FEA60
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C23D3 CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup,	2_2_00007FFE004C23D3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F4AD0 CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	2_2_00007FFE004F4AD0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00520AF0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE00520AF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C8AF0 CRYPTO_free,	2_2_00007FFE004C8AF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C24BE CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C24BE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051CBB0 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,CRYPTO_memcmp,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE0051CBB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1848 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FFE004C1848
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F2BA0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	2_2_00007FFE004F2BA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D6B53 CRYPTO_free,CRYPTO_strdup,ERR_put_error,ERR_put_error,	2_2_00007FFE004D6B53
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1253 CRYPTO_free,	2_2_00007FFE004C1253
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051EC80 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,	2_2_00007FFE0051EC80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FECA0 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004FECA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D6C53 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004D6C53
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6C50 CRYPTO_free,	2_2_00007FFE004F6C50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C23C4 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C23C4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C18B6 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FFE004C18B6
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00506D00 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE00506D00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C212B EVP_MD_CTX_new,EVP_MD_CTX_copy_ex,CRYPTO_memcmp,memcpy,memcpy,	2_2_00007FFE004C212B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050ACC0 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE0050ACC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6CF0 CRYPTO_free,CRYPTO_free,	2_2_00007FFE004F6CF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C191A ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,BIO_up_ref,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	2_2_00007FFE004C191A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C179E CRYPTO_free,	2_2_00007FFE004C179E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00512DB0 CRYPTO_malloc,memcpy,	2_2_00007FFE00512DB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1028 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free,	2_2_00007FFE004C1028
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E8D80 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FFE004E8D80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2301 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C2301
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004ECD70 CRYPTO_malloc,CRYPTO_clear_free,	2_2_00007FFE004ECD70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C8E00 CRYPTO_malloc,ERR_put_error,	2_2_00007FFE004C8E00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051AEB0 CRYPTO_memcmp,	2_2_00007FFE0051AEB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6EB0 CRYPTO_free,	2_2_00007FFE004F6EB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F6E40 CRYPTO_free,	2_2_00007FFE004F6E40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0052AE40 memset,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FFE0052AE40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C141F EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFE004C141F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00526F30 CRYPTO_free,CRYPTO_malloc,ERR_put_error,	2_2_00007FFE00526F30
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00510F00 CRYPTO_free,	2_2_00007FFE00510F00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C18C0 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004C18C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1A05 EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc,	2_2_00007FFE004C1A05
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051EF80 EVP_PKEY_get0_RSA,RSA_size,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free,	2_2_00007FFE0051EF80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C242D CRYPTO_free,CRYPTO_memdup,ERR_put_error,	2_2_00007FFE004C242D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2275 CRYPTO_free,	2_2_00007FFE004C2275
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C9020 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFE004C9020
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E2FD0 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	2_2_00007FFE004E2FD0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E8FE0 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,	2_2_00007FFE004E8FE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1ACD CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFE004C1ACD
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2496 CRYPTO_free,CRYPTO_malloc,memcpy,	2_2_00007FFE004C2496
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D9040 ERR_put_error,ASN1_item_free,memcpy,_time64,X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free,	2_2_00007FFE004D9040
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004EF0E0 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFE004EF0E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1AFF CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,	2_2_00007FFE004C1AFF
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F7150 CRYPTO_free,	2_2_00007FFE004F7150
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1F55 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C1F55
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1C3A X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FFE004C1C3A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C165E CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C165E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D7290 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,	2_2_00007FFE004D7290
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C10A5 CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	2_2_00007FFE004C10A5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1C03 CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004C1C03
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1005 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	2_2_00007FFE004C1005
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2176 EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FFE004C2176
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2144 CRYPTO_free,CRYPTO_malloc,RAND_bytes,	2_2_00007FFE004C2144
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1D7F BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004C1D7F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DD3E0 CRYPTO_THREAD_run_once,	2_2_00007FFE004DD3E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C207C CRYPTO_free,_time64,CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,	2_2_00007FFE004C207C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051F4A0 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE0051F4A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1690 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FFE004C1690
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1681 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C1681
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1AB9 CONF_parse_list,CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C1AB9
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00503440 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_size,	2_2_00007FFE00503440
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C186B CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C186B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E546A CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FFE004E546A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C9510 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FFE004C9510
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FF4D0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004FF4D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C101E EVP_PKEY_free,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FFE004C101E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C125D BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFE004C125D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F9570 CRYPTO_memcmp,	2_2_00007FFE004F9570
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C12E4 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C12E4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C20DB CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	2_2_00007FFE004C20DB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C24B9 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_memcmp,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,	2_2_00007FFE004C24B9
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050F640 CRYPTO_free,CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE0050F640
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00517720 CRYPTO_memcmp,	2_2_00007FFE00517720
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DF6F0 CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	2_2_00007FFE004DF6F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0052B7A0 SRP_Calc_u,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,CRYPTO_clear_free,BN_clear_free,	2_2_00007FFE0052B7A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E1790 CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004E1790
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FF7A0 CRYPTO_free,CRYPTO_free,	2_2_00007FFE004FF7A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C9770 CRYPTO_malloc,ERR_put_error,CRYPTO_free,	2_2_00007FFE004C9770
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F9810 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004F9810
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1505 CRYPTO_free,CRYPTO_malloc,ERR_put_error,memcpy,	2_2_00007FFE004C1505
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1F0F CRYPTO_free,CRYPTO_malloc,memcpy,	2_2_00007FFE004C1F0F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE005078A7 CRYPTO_clear_free,	2_2_00007FFE005078A7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E3900 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004E3900
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1104 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFE004C1104
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C22B1 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004C22B1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00511960 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,	2_2_00007FFE00511960
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C16E0 CRYPTO_zalloc,	2_2_00007FFE004C16E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DD940 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	2_2_00007FFE004DD940
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DF960 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	2_2_00007FFE004DF960
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F9A30 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFE004F9A30
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DDA30 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	2_2_00007FFE004DDA30
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1CC6 CRYPTO_malloc,COMP_expand_block,	2_2_00007FFE004C1CC6
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FFA50 CRYPTO_memcmp,	2_2_00007FFE004FFA50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1D43 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,	2_2_00007FFE004C1D43
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C17CB CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FFE004C17CB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C16B3 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free,	2_2_00007FFE004C16B3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00517AE0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE00517AE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C21AD memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FFE004C21AD
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1EF1 CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,	2_2_00007FFE004C1EF1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C109B CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,	2_2_00007FFE004C109B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C7BA0 CRYPTO_free,	2_2_00007FFE004C7BA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DBB70 CRYPTO_zalloc,ERR_put_error,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,	2_2_00007FFE004DBB70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D9B70 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE004D9B70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDBE0 CRYPTO_free,	2_2_00007FFE004CDBE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C22F7 CRYPTO_free,	2_2_00007FFE004C22F7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDC90 CRYPTO_free,	2_2_00007FFE004CDC90
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F3C80 OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FFE004F3C80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DDC70 CRYPTO_THREAD_run_once,	2_2_00007FFE004DDC70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00517D00 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE00517D00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E4C CRYPTO_clear_free,	2_2_00007FFE004C1E4C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C17D0 CRYPTO_malloc,memcpy,	2_2_00007FFE004C17D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C7CF0 CRYPTO_free,	2_2_00007FFE004C7CF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDCF0 CRYPTO_free,	2_2_00007FFE004CDCF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00519CDC CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE00519CDC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FFD80 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004FFD80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CFDB0 EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,strncmp,strncmp,strncmp,strncmp,strncmp,	2_2_00007FFE004CFDB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDDA0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,	2_2_00007FFE004CDDA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E5D50 ERR_put_error,CRYPTO_free,ERR_put_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	2_2_00007FFE004E5D50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D7D40 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004D7D40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F7DD0 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FFE004F7DD0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C7DF0 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFE004C7DF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E56 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free,	2_2_00007FFE004C1E56
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1CD5 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFE004C1CD5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F3E40 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,	2_2_00007FFE004F3E40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D5E70 CRYPTO_free,CRYPTO_strdup,	2_2_00007FFE004D5E70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00507E6F CRYPTO_malloc,	2_2_00007FFE00507E6F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1B8B CRYPTO_free,CRYPTO_malloc,	2_2_00007FFE004C1B8B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1208 CRYPTO_zalloc,memcpy,memcpy,memcpy,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C1208
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0050BEF0 EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE0050BEF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1AB4 CRYPTO_free,	2_2_00007FFE004C1AB4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D5FAA CRYPTO_free,	2_2_00007FFE004D5FAA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C7F50 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFE004C7F50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004FFF70 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFE004FFF70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C15C8 EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,DH_free,EVP_PKEY_security_bits,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FFE004C15C8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E2010 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FFE004E2010
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C210D HMAC_CTX_new,EVP_CIPHER_CTX_new,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,	2_2_00007FFE004C210D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2243 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	2_2_00007FFE004C2243
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C402B BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_clear_flags,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	2_2_00007FFE004C402B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C9FC0 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFE004C9FC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00517FC0 CRYPTO_malloc,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,	2_2_00007FFE00517FC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00509FC0 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,	2_2_00007FFE00509FC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C14FB CRYPTO_free,CRYPTO_memdup,ERR_put_error,	2_2_00007FFE004C14FB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D7FE0 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FFE004D7FE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CDFE0 CRYPTO_malloc,	2_2_00007FFE004CDFE0

Source: Eclf71HXa1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905401585.00007FFE11EBE000.00000002.00000001.01000000.0000000A.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905252984.00007FFE1030D000.00000002.00000001.01000000.0000000E.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905507486.00007FFE11ED9000.00000002.00000001.01000000.00000008.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905828042.00007FFE12E15000.00000002.00000001.01000000.0000000C.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: .PdB] source: Eclf71HXa1.exe
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904573844.00007FFDFB76D000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905927859.00007FFE130C3000.00000002.00000001.01000000.00000009.sdmp, select.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905609905.00007FFE126D1000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117976F0 FindFirstFileExW,FindClose,	0_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117976F0 FindFirstFileExW,FindClose,	2_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,	2_2_00007FFDFB134462

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 77.221.149.185:5988

Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.149.185

Source: Eclf71HXa1.exe, 00000002.00000002.2903163468.000002492F0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org/techtonik/python-pager
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EF50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org/techtonik/python-wget/
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Eclf71HXa1.exe, 00000002.00000002.2903096268.000002492F0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://greenbytes.de/tech/tc2231/
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EF50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pypi.python.org/pypi/wget/
Source: python38.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670602074.000002492EFF8000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/
Source: Eclf71HXa1.exe, 00000000.00000003.1661863248.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2903203946.000002492F120000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: Eclf71HXa1.exe, 00000002.00000002.2903096268.000002492F0A0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Eclf71HXa1.exe, 00000002.00000002.2902566713.000002492EB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670602074.000002492EFF8000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H

Too many similar processes found

Source: cmd.exe

Process created: 213

Detected potential crypto function

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B6A4C	0_2_00007FF6117B6A4C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B06D4	0_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A12C0	0_2_00007FF6117A12C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A32F0	0_2_00007FF6117A32F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B5B00	0_2_00007FF6117B5B00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A9AA0	0_2_00007FF6117A9AA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A01CC	0_2_00007FF6117A01CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B3A10	0_2_00007FF6117B3A10
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A2A28	0_2_00007FF6117A2A28
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B06D4	0_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B6500	0_2_00007FF6117B6500
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF611797C70	0_2_00007FF611797C70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A7C98	0_2_00007FF6117A7C98
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117AE3B8	0_2_00007FF6117AE3B8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179FBB8	0_2_00007FF61179FBB8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A03D8	0_2_00007FF6117A03D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A8350	0_2_00007FF6117A8350
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A5B50	0_2_00007FF6117A5B50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A1658	0_2_00007FF6117A1658
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B1674	0_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B3EAC	0_2_00007FF6117B3EAC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179FDBC	0_2_00007FF61179FDBC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A05DC	0_2_00007FF6117A05DC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A25F0	0_2_00007FF6117A25F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117A2E2C	0_2_00007FF6117A2E2C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117ADD38	0_2_00007FF6117ADD38
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B5D7C	0_2_00007FF6117B5D7C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117988EB	0_2_00007FF6117988EB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179911D	0_2_00007FF61179911D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117AD8A4	0_2_00007FF6117AD8A4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179FFC8	0_2_00007FF61179FFC8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B9808	0_2_00007FF6117B9808
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179874B	0_2_00007FF61179874B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B6A4C	2_2_00007FF6117B6A4C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A12C0	2_2_00007FF6117A12C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A32F0	2_2_00007FF6117A32F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B5B00	2_2_00007FF6117B5B00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A9AA0	2_2_00007FF6117A9AA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A01CC	2_2_00007FF6117A01CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B3A10	2_2_00007FF6117B3A10
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A2A28	2_2_00007FF6117A2A28
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B06D4	2_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B6500	2_2_00007FF6117B6500
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF611797C70	2_2_00007FF611797C70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A7C98	2_2_00007FF6117A7C98
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117AE3B8	2_2_00007FF6117AE3B8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179FBB8	2_2_00007FF61179FBB8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A03D8	2_2_00007FF6117A03D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A8350	2_2_00007FF6117A8350
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A5B50	2_2_00007FF6117A5B50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B06D4	2_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A1658	2_2_00007FF6117A1658
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B1674	2_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B3EAC	2_2_00007FF6117B3EAC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179FDBC	2_2_00007FF61179FDBC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A05DC	2_2_00007FF6117A05DC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A25F0	2_2_00007FF6117A25F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117A2E2C	2_2_00007FF6117A2E2C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117ADD38	2_2_00007FF6117ADD38
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B5D7C	2_2_00007FF6117B5D7C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117988EB	2_2_00007FF6117988EB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179911D	2_2_00007FF61179911D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117AD8A4	2_2_00007FF6117AD8A4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179FFC8	2_2_00007FF61179FFC8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B9808	2_2_00007FF6117B9808
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179874B	2_2_00007FF61179874B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB26FB70	2_2_00007FFDFB26FB70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1312C1	2_2_00007FFDFB1312C1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB363B80	2_2_00007FFDFB363B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134025	2_2_00007FFDFB134025
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2CBA70	2_2_00007FFDFB2CBA70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB19FB00	2_2_00007FFDFB19FB00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13385F	2_2_00007FFDFB13385F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134B24	2_2_00007FFDFB134B24
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133C1A	2_2_00007FFDFB133C1A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132504	2_2_00007FFDFB132504
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132BC6	2_2_00007FFDFB132BC6
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13513C	2_2_00007FFDFB13513C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2DFF80	2_2_00007FFDFB2DFF80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB25BFA0	2_2_00007FFDFB25BFA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2C7E70	2_2_00007FFDFB2C7E70
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB137194	2_2_00007FFDFB137194
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13135C	2_2_00007FFDFB13135C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14BF20	2_2_00007FFDFB14BF20
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14BD60	2_2_00007FFDFB14BD60
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13200E	2_2_00007FFDFB13200E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131B95	2_2_00007FFDFB131B95
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1348CC	2_2_00007FFDFB1348CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132A27	2_2_00007FFDFB132A27
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14F200	2_2_00007FFDFB14F200
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134B74	2_2_00007FFDFB134B74
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135227	2_2_00007FFDFB135227
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132513	2_2_00007FFDFB132513
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14F060	2_2_00007FFDFB14F060
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133EB3	2_2_00007FFDFB133EB3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131B72	2_2_00007FFDFB131B72
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131889	2_2_00007FFDFB131889
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1311DB	2_2_00007FFDFB1311DB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13282E	2_2_00007FFDFB13282E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB15B850	2_2_00007FFDFB15B850
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133DBE	2_2_00007FFDFB133DBE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134651	2_2_00007FFDFB134651
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB25B600	2_2_00007FFDFB25B600
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB15B4C0	2_2_00007FFDFB15B4C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2C74F0	2_2_00007FFDFB2C74F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135B91	2_2_00007FFDFB135B91
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136717	2_2_00007FFDFB136717
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1360D7	2_2_00007FFDFB1360D7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133EA4	2_2_00007FFDFB133EA4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1312A8	2_2_00007FFDFB1312A8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135204	2_2_00007FFDFB135204
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1369F6	2_2_00007FFDFB1369F6
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131AE1	2_2_00007FFDFB131AE1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131EB0	2_2_00007FFDFB131EB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB21A870	2_2_00007FFDFB21A870
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13105F	2_2_00007FFDFB13105F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131F73	2_2_00007FFDFB131F73
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2CA910	2_2_00007FFDFB2CA910
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136596	2_2_00007FFDFB136596
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132112	2_2_00007FFDFB132112
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1351D7	2_2_00007FFDFB1351D7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132671	2_2_00007FFDFB132671
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB25EE80	2_2_00007FFDFB25EE80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14EF00	2_2_00007FFDFB14EF00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1360DC	2_2_00007FFDFB1360DC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1334AE	2_2_00007FFDFB1334AE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB26EDB0	2_2_00007FFDFB26EDB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131BC7	2_2_00007FFDFB131BC7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1324AA	2_2_00007FFDFB1324AA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB212410	2_2_00007FFDFB212410
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136915	2_2_00007FFDFB136915
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134DA4	2_2_00007FFDFB134DA4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133099	2_2_00007FFDFB133099
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132D60	2_2_00007FFDFB132D60
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134421	2_2_00007FFDFB134421
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1319D8	2_2_00007FFDFB1319D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136000	2_2_00007FFDFB136000
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13258B	2_2_00007FFDFB13258B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB266710	2_2_00007FFDFB266710
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134129	2_2_00007FFDFB134129
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132B2B	2_2_00007FFDFB132B2B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13654B	2_2_00007FFDFB13654B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134E7B	2_2_00007FFDFB134E7B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136BA4	2_2_00007FFDFB136BA4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132E0A	2_2_00007FFDFB132E0A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134B9C	2_2_00007FFDFB134B9C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13227A	2_2_00007FFDFB13227A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB269AF0	2_2_00007FFDFB269AF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13488B	2_2_00007FFDFB13488B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1335DA	2_2_00007FFDFB1335DA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13375B	2_2_00007FFDFB13375B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132F2C	2_2_00007FFDFB132F2C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132342	2_2_00007FFDFB132342
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132428	2_2_00007FFDFB132428
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1336D4	2_2_00007FFDFB1336D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1337E7	2_2_00007FFDFB1337E7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB265F00	2_2_00007FFDFB265F00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1351D2	2_2_00007FFDFB1351D2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13591B	2_2_00007FFDFB13591B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136230	2_2_00007FFDFB136230
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2E1E40	2_2_00007FFDFB2E1E40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132A90	2_2_00007FFDFB132A90
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14D260	2_2_00007FFDFB14D260
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1371C1	2_2_00007FFDFB1371C1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131C21	2_2_00007FFDFB131C21
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1345BB	2_2_00007FFDFB1345BB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133094	2_2_00007FFDFB133094
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB261320	2_2_00007FFDFB261320
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB155200	2_2_00007FFDFB155200
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131AEB	2_2_00007FFDFB131AEB
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134999	2_2_00007FFDFB134999
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13731A	2_2_00007FFDFB13731A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133BF7	2_2_00007FFDFB133BF7
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2E1690	2_2_00007FFDFB2E1690
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132761	2_2_00007FFDFB132761
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1311CC	2_2_00007FFDFB1311CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132E32	2_2_00007FFDFB132E32
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131839	2_2_00007FFDFB131839
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135BBE	2_2_00007FFDFB135BBE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133EE0	2_2_00007FFDFB133EE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1324A5	2_2_00007FFDFB1324A5
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133E1D	2_2_00007FFDFB133E1D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13651E	2_2_00007FFDFB13651E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133206	2_2_00007FFDFB133206
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1362DA	2_2_00007FFDFB1362DA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB2CC990	2_2_00007FFDFB2CC990
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136E7E	2_2_00007FFDFB136E7E
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133DC8	2_2_00007FFDFB133DC8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136415	2_2_00007FFDFB136415
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB264A40	2_2_00007FFDFB264A40
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135CF4	2_2_00007FFDFB135CF4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134DEA	2_2_00007FFDFB134DEA
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135015	2_2_00007FFDFB135015
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132932	2_2_00007FFDFB132932
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135880	2_2_00007FFDFB135880
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134520	2_2_00007FFDFB134520
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB135FEC	2_2_00007FFDFB135FEC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133738	2_2_00007FFDFB133738
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13400C	2_2_00007FFDFB13400C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132987	2_2_00007FFDFB132987
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131041	2_2_00007FFDFB131041
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB131E79	2_2_00007FFDFB131E79
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB264D50	2_2_00007FFDFB264D50
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB136087	2_2_00007FFDFB136087
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13111D	2_2_00007FFDFB13111D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133805	2_2_00007FFDFB133805
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB137036	2_2_00007FFDFB137036
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1E0260	2_2_00007FFDFB1E0260
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133968	2_2_00007FFDFB133968
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13571D	2_2_00007FFDFB13571D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB270170	2_2_00007FFDFB270170
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132BF3	2_2_00007FFDFB132BF3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1371B2	2_2_00007FFDFB1371B2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB13627B	2_2_00007FFDFB13627B
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1366C2	2_2_00007FFDFB1366C2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132C52	2_2_00007FFDFB132C52
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB133134	2_2_00007FFDFB133134
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1317E4	2_2_00007FFDFB1317E4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132EAF	2_2_00007FFDFB132EAF
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB137338	2_2_00007FFDFB137338
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB132ABD	2_2_00007FFDFB132ABD
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14C620	2_2_00007FFDFB14C620
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB14C480	2_2_00007FFDFB14C480
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1312EE	2_2_00007FFDFB1312EE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E6F	2_2_00007FFE004C1E6F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1357	2_2_00007FFE004C1357
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C2478	2_2_00007FFE004C2478
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F2620	2_2_00007FFE004F2620
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D2910	2_2_00007FFE004D2910
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004F89D0	2_2_00007FFE004F89D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C191F	2_2_00007FFE004C191F
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C6D00	2_2_00007FFE004C6D00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C12B2	2_2_00007FFE004C12B2
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0052CDB4	2_2_00007FFE0052CDB4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE0051EF80	2_2_00007FFE0051EF80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1BB3	2_2_00007FFE004C1BB3
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DEFC0	2_2_00007FFE004DEFC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1E6A	2_2_00007FFE004C1E6A
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CB4F0	2_2_00007FFE004CB4F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004D5540	2_2_00007FFE004D5540
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C12E4	2_2_00007FFE004C12E4
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CF695	2_2_00007FFE004CF695
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C24B9	2_2_00007FFE004C24B9
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C23DD	2_2_00007FFE004C23DD
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1BF9	2_2_00007FFE004C1BF9
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004CFDB0	2_2_00007FFE004CFDB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C15C8	2_2_00007FFE004C15C8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C210D	2_2_00007FFE004C210D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10257210	2_2_00007FFE10257210
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10246350	2_2_00007FFE10246350
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE102343F0	2_2_00007FFE102343F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE1023EBE0	2_2_00007FFE1023EBE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10246610	2_2_00007FFE10246610
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10241F11	2_2_00007FFE10241F11

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFE0052BE25 appears 103 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FF611791DB0 appears 36 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB131055 appears 1557 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB134688 appears 138 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FF611791DF0 appears 110 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB131FC3 appears 55 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB135DDA appears 737 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFE0052BD8F appears 195 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFE004C1023 appears 578 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB13206D appears 82 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB131FFF appears 31 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB131C08 appears 121 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB1341F6 appears 47 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: String function: 00007FFDFB1340F7 appears 384 times

Sample file is different than original file name gathered from version info

Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ha vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe	Binary or memory string: OriginalFilename vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905337272.00007FFE1031C000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905655183.00007FFE126DC000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905869845.00007FFE12E1A000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905442920.00007FFE11EC4000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905546571.00007FFE11EE3000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905761700.00007FFE126F3000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905965685.00007FFE130C6000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2904817443.00007FFDFB87F000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs Eclf71HXa1.exe

Source: classification engine

Classification label: mal60.evad.winEXE@453/15@0/1

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF611791ED0 GetLastError,FormatMessageW,

0_2_00007FF611791ED0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1868:120:WilError_03

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI62802

Jump to behavior

Source: Eclf71HXa1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Eclf71HXa1.exe	ReversingLabs: Detection: 13%
Source: Eclf71HXa1.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

File read: C:\Users\user\Desktop\Eclf71HXa1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Eclf71HXa1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Eclf71HXa1.exe

Static file information: File size 5424070 > 1048576

Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Eclf71HXa1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Eclf71HXa1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Eclf71HXa1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905401585.00007FFE11EBE000.00000002.00000001.01000000.0000000A.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905252984.00007FFE1030D000.00000002.00000001.01000000.0000000E.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905507486.00007FFE11ED9000.00000002.00000001.01000000.00000008.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905828042.00007FFE12E15000.00000002.00000001.01000000.0000000C.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: .PdB] source: Eclf71HXa1.exe
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904573844.00007FFDFB76D000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905927859.00007FFE130C3000.00000002.00000001.01000000.00000009.sdmp, select.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905609905.00007FFE126D1000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr

Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Eclf71HXa1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DCD2C push rbp; retf 0001h	2_2_00007FFE004DCD2D
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004DCD28 pushfq ; retf 0001h	2_2_00007FFE004DCD29
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE00505561 push rcx; ret	2_2_00007FFE00505562
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004E3C39 push 28C48348h; ret	2_2_00007FFE004E3C47

Drops PE files

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

0_2_00007FF6117942E0

Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 2_2_00007FFDFB1363AC rdtsc

2_2_00007FFDFB1363AC

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

API coverage: 0.6 %

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117976F0 FindFirstFileExW,FindClose,	0_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117976F0 FindFirstFileExW,FindClose,	2_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,	2_2_00007FFDFB134462

Binary or memory string: Hyper-V RAW

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1363AC		2_2_00007FFDFB1363AC
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB1364EC		2_2_00007FFDFB1364EC

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 2_2_00007FFDFB1363AC rdtsc

2_2_00007FFDFB1363AC

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF6117AA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6117AA1D8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF6117B3280 GetProcessHeap,

0_2_00007FF6117B3280

Enables debug privileges

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF6117AA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6117AA1D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179AD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF61179AD00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179B59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF61179B59C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 0_2_00007FF61179B740 SetUnhandledExceptionFilter,	0_2_00007FF61179B740
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF6117AA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6117AA1D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179AD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF61179AD00
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179B59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF61179B59C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FF61179B740 SetUnhandledExceptionFilter,	2_2_00007FF61179B740
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFDFB134FDE __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFDFB134FDE
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE004C1D66 __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE004C1D66
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE1023411C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE1023411C
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE10234304 SetUnhandledExceptionFilter,	2_2_00007FFE10234304
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Code function: 2_2_00007FFE102336D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE102336D8

HIPS / PFW / Operating System Protection Evasion

Excessive usage of taskkill to terminate processes

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe

Uses taskkill to terminate processes

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF6117B9650 cpuid

0_2_00007FF6117B9650

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exe	Queries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF61179B480 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF61179B480

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 0_2_00007FF6117B5B00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6117B5B00

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Eclf71HXa1.exe

Code function: 2_2_00007FFDFB135DA3 bind,WSAGetLastError,

2_2_00007FFDFB135DA3

ID:	1466585
Product:	CloudBasic
Start time:	07:14:08
Start date:	03.07.2024
Sample:	Eclf71HXa1.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9f478308a636906db8c36e77ce68b4c2
SHA1:	369b818537e16c4c038ce0779bb031ba6980db9c
SHA256:	544095b7f34939172ea5bd6544be4c82357921f3153d17ac0e4b1b93dc363de4
Filetype:	Win64 Executable Console (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0E675D4A7A5B7CCD69013386793F68EB	6E5821DDD8FEA6681BDA4448816F39984A33596B	BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	3DC8AF67E6EE06AF9EEC52FE985A7633	1451B8C598348A0C0E50AFC0EC91513C46FE3AF6	C55821F5FDB0064C796B2C0B03B51971F073140BC210CBE6ED90387DB2BED929
C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F1E33A8F6F91C2ED93DC5049DD50D7B8	23C583DC98AA3F6B8B108DB5D90E65D3DD72E9B4	9459D246DF7A3C638776305CF3683946BA8DB26A7DE90DF8B60E1BE0B27E53C4
C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	A6448BC5E5DA21A222DE164823ADD45C	6C26EB949D7EB97D19E42559B2E3713D7629F2F9	3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	37057C92F50391D0751F2C1D7AD25B02	A43C6835B11621663FA251DA421BE58D143D2AFB	9442DC46829485670A6AC0C02EF83C54B401F1570D1D5D1D85C19C1587487764
C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	D6BAE4B430F349AB42553DC738699F0E	7E5EFC958E189C117ECCEF39EC16EBF00E7645A9	587C4F3092B5F3E34F6B1E927ECC7127B3FE2F7FA84E8A3D0C41828583BD5CEF
C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	8EE827F2FE931163F078ACDC97107B64	149BB536F3492BC59BD7071A3DA7D1F974860641	EAEEFA6722C45E486F48A67BA18B4ABB3FF0C29E5B30C23445C29A4D0B1CD3E4
C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip	Zip archive data, at least v2.0 to extract, compression method=store	614436C7EA1EF4A93EDF3E388CA9DD65	68191FB975E9236DD9A9C5F856A5EB05E54FC082	E728EC7DA471E7962C52BF86046F42863787F4564A08EE6666ED0C70E1A715C1
C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BF83F8AD60CB9DB462CE62C73208A30D	F1BC7DBC1E5B00426A51878719196D78981674C4	012866B68F458EC204B9BCE067AF8F4A488860774E7E17973C49E583B52B828D
C:\Users\user\AppData\Local\Temp\_MEI62802\libffi-7.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	4424BAF6ED5340DF85482FA82B857B03	181B641BF21C810A486F855864CD4B8967C24C44	8C1F7F64579D01FEDFDE07E0906B1F8E607C34D5E6424C87ABE431A2322EBA79
C:\Users\user\AppData\Local\Temp\_MEI62802\libssl-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FE1F3632AF98E7B7A2799E3973BA03CF	353C7382E2DE3CCDD2A4911E9E158E7C78648496	1CE7BA99E817C1C2D71BC88A1BDD6FCAD82AA5C3E519B91EBD56C96F22E3543B
C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	D2A8A5E7380D5F4716016777818A32C5	FB12F31D1D0758FE3E056875461186056121ED0C	59AB345C565304F638EFFA7C0236F26041FD06E35041A75988E13995CD28ACE9
C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	6AE54D103866AAD6F58E119D27552131	BC53A92A7667FD922CE29E98DFCF5F08F798A3D2	63B81AF5D3576473C17AC929BEA0ADD5BF8D7EA95C946CAF66CBB9AD3F233A88
C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	4C0D43F1A31E76255CB592BB616683E7	0A9F3D77A6E064BAEBACACC780701117F09169AD	0F84E9F0D0BF44D10527A9816FCAB495E3D797B09E7BBD1E6BD666CEB4B6C1A8
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C3BEEF83F611D6E7B7B3218DB0E34BD6	DFE8A6769A26CA961164AAFA97060A5C23BDEC4B	C2A5A1005A41FD2A3969358A080B850CD96771FB15E376D27A010EF411006511

Windows Analysis Report
Eclf71HXa1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report Eclf71HXa1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
Eclf71HXa1.exe