Edit tour

Windows Analysis Report
cMqyGFCQHk.exe

Overview

General Information

Sample name:	cMqyGFCQHk.exe renamed because original name is a hash value
Original sample name:	3c3f458400c557d279c4d4993f67adc8ba3da4bad8fc844adfef8c7de475a1f7.exe
Analysis ID:	1556006
MD5:	b408e3da98f0e457d627510165374ddd
SHA1:	49de055d881896670ce8b1ba1633d5f8b4f8e193
SHA256:	3c3f458400c557d279c4d4993f67adc8ba3da4bad8fc844adfef8c7de475a1f7
Tags:	exeLionSoftwareLLCuser-JAMESWT_MHT
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Powershell create lnk in startup

Drops large PE files

Powershell creates an autostart link

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Drops PE files

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Electron Application Child Processes

Stores files to the Windows start menu directory

Uses 32bit PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cMqyGFCQHk.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\cMqyGFCQHk.exe" MD5: B408E3DA98F0E457D627510165374DDD)

cmd.exe (PID: 4508 cmdline: "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Teams.exe" /FO csv | "C:\Windows\system32\find.exe" "Teams.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3328 cmdline: tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)

find.exe (PID: 4040 cmdline: "C:\Windows\system32\find.exe" "Teams.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

Teams.exe (PID: 5912 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" MD5: 102326801694C938E466C8D96E4200BD)

Teams.exe (PID: 6472 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1708,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1700 /prefetch:2 MD5: 102326801694C938E466C8D96E4200BD)

cmd.exe (PID: 6976 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6292 cmdline: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)

Teams.exe (PID: 3268 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2576,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:3 MD5: 102326801694C938E466C8D96E4200BD)

Teams.exe (PID: 1060 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" MD5: 102326801694C938E466C8D96E4200BD)

cmd.exe (PID: 6412 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1936 cmdline: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)

Teams.exe (PID: 3908 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1808,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1800 /prefetch:2 MD5: 102326801694C938E466C8D96E4200BD)

Teams.exe (PID: 6644 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2424,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3 MD5: 102326801694C938E466C8D96E4200BD)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Source: File created

Author: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6292, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6292, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Sigma detected: Suspicious Electron Application Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe, ParentProcessId: 5912, ParentProcessName: Teams.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", ProcessId: 6976, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()", CommandLine: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6976, ParentProcessName: cmd.exe, ProcessCommandLine: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()", ProcessId: 6292, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Powershell create lnk in startup

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe, ParentProcessId: 5912, ParentProcessName: Teams.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", ProcessId: 6976, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: cMqyGFCQHk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8013f783-e1a2-5f53-80da-b1ad483bd59f

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\LICENSE.electron.txt			Jump to behavior

Source: cMqyGFCQHk.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ffmpeg.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2392381415.00000000047BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2390610484.00000000047BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vulkan-1.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2368310453.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2374409262.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2368094273.0000000002D20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdbGCTL source: cMqyGFCQHk.exe, 00000000.00000003.2390610484.00000000047BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: electron.exe.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vk_swiftshader.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2447177094.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2375843554.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\locales	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources	Jump to behavior

Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: * **Google Hangouts Video**: http://www.youtube.com/watch?v=I9nDOSGfwZg equals www.youtube.com (Youtube)

Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://2x.io)
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/355034686
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096371
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096371expandIntegerPowExpressionsThe
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096454
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096480
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096530
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096539
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096608
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096608allowES3OnFL100Allow
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096643
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096648
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096661
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096758
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644593
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644627
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644627skipVSConstantRegisterZeroIn
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644663
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644715
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644730
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644740
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42260492
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42260591
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42260722
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42261226
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42261713
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42261881
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42261882
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42261924
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42261924allowClearForRobustResourceInitSome
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42262239
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42262247
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42262386
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42263031
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42263407
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42263969
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42264008
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42264951
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42265995
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266019
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266610
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42267045
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42267082
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42267082ProgramGL::postLinkJobImpl
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://blog.izs.me/)
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cldr.unicode.org/index/downloads
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/python-gflags/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/smhasher/
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1094869
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/110263
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1144207
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1171371
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1181068
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1181193
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1420130
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1434317
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1456243
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/308366
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/403957
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/550292
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/565179
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/642227
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/642605
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/644669
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/650547
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/672380
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/709351
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/797243
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/809422
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/830046
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/883276
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/927470
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/941620
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThere
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://feross.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fresc81.github.io/node-winreg
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://git.linuxtv.org/v4l-utils.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/troygoode/)
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://google.github.io/snappy/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://n8.io/)
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ns.apple.com/HDRGainMap/1.0/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ns.apple.com/pixeldatainfo/1.0/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ns.google.com/photos/1.0/container/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ns.google.com/photos/1.0/container/item/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.perlig.de/rjsmin/
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://skbug.com/9491
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://source.android.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://source.android.com/compatibility)
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2375843554.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/1068308/13216
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://substack.net
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://travis-ci.org/troygoode/node-require-directory)
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://website-archive.mozilla.org/www.mozilla.org/mpl/MPL/NPL/1.1/):
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wpad/wpad.dat
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wpad/wpad.dat..
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2375843554.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/legal/guidelinesfor3rdparties.html.
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.finesse.demon.co.uk/steven/sqrt.html.
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.freedesktop.org/wiki/Software/xdg-user-dirs
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.futurealoof.com)
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gutenberg.org/ebooks/53).
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.linux-usb.org/usb-ids.html
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/NPL/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.apple.com/apsl/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/bsd-license.php
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php)
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pertinentdetail.org/sqrt
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ploscompbiol.org/static/license
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.polymer-project.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.portaudio.com
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.softsynth.com
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.webrtc.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=I9nDOSGfwZg
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://zlib.net/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://%s:%d/.well-known/masque/udp/%s/%d/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://%s:%d/.well-known/masque/udp/%s/%d/Net.QuicStreamFactory.DefaultNetworkMatchNet.QuicSession.
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://android.googlesource.com/platform/external/puffin
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/40096376
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/40096712
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/41488638
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42263273
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42263702
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42264072
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42265782
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42265877
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42266740
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42266745
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42266748
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42266811
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42267098
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/8646
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3rpDuEX.
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3rpDuEX.Invalid
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.htmlMixed
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.android.clients.google.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.bigcache.googleapis.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.doc-0-0-sj.sj.googleusercontent.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.docs.google.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.drive.google.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.googlesyndication.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.pack.google.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.play.google.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.youtube.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=hr&category=theme81https://myactivity.google.com/myactivity/?u
Source: cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=id&category=theme81https://myactivity.google.com/myactivity/?u
Source: cMqyGFCQHk.exe, 00000000.00000003.2449217643.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u
Source: cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=nl&category=theme81https://myactivity.google.com/myactivity/?u
Source: cMqyGFCQHk.exe, 00000000.00000003.2450380398.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u
Source: cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-BR&category=theme81https://myactivity.google.com/myactivity
Source: cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449882670.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449882670.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449882670.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449882670.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449882670.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449882670.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/feature/5105856067141632.
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449217643.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450380398.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449380697.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448748666.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448359715.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449000858.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/chromium/src/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/external/github.com/intel/tinycbor.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/vulkan-deps/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/webm/libwebm
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/webm/libwebp
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/v8/wiki/JavaScriptStackTraceApi
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1038223.
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1042393
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1046462
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1060012
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1091824
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1137851
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1154140
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1300575
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1356053
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/40279678
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/40488750
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593024
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593024selectViewInGeometryShaderThe
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/650547
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/650547callClearTwiceUsing
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/655534
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/655534useSystemMemoryForConstantBuffersCopying
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/705865
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/710443
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/811661
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/848952
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/927119
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/927119Blink.Script.SchedulingTypeScriptLoader
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/981419
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by/3.0/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/blog/enabling-shared-array-buffer/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/cross-origin-isolation/.
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/includes
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developers.google.com/android/guides/setup
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/17aTgLnjMXIrfjgNaTUnHQO7m3xgzHR2VXBTmi03Qii4/
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://domenic.me/)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://feross.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://feross.org/opensource
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://feross.org/support
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gcp.gvt2.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gcp.gvt6.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Cyan4973/xxHash
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/GoogleChrome/web-vitals
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/GoogleChromeLabs/text-fragments-polyfill
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/Vulkan-Headers
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/Vulkan-Loader
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Maratyszcza/pthreadpool
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Nicoshev/rapidhash
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Nicoshev/rapidhash/blob/master/rapidhash.h
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/PortAudio/portaudio/tree/master/src/common
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ReactiveX/rxjs
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/RyanZim/universalify#readme
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/RyanZim/universalify.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/STRML/async-limiter
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Sebmaster/tr46.js#readme
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Sebmaster/tr46.js.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/SeleniumHQ/selenium/tree/trunk
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Squirrel/Squirrel.Mac
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/TooTallNate/util-deprecate
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/TroyGoode)
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.border-boxcontent-bo
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/shared-element-transitions/blob/main/debugging_overflow_on_images.md.
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/view-transitions/blob/main/debugging_overflow_on_images.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WebAssembly/wasm-c-api/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aawc/unrar.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/brailcom/speechd
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/brycebaril/node-stream-meter.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/wrap-ansi?sponsor=1
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/conventional-changelog/standard-version):
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dominictarr/rc.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dpranke/typ.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/etingof/pyasn1
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/zstd
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/queue-microtask
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/run-parallel
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/safe-buffer
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/simple-concat
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/simple-get
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/flutter/flutter/issues/47164
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/flutter/flutter/issues/47804
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fresc81/node-winreg
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/diff-match-patch/tree/master/javascript
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/distributed_point_functions
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/google-api-cpp-client/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/pprof/tree/master/proto
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/private-join-and-compute
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/protobuf
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/re2
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/ruy
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/securemessage
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/sentencepiece
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/shell-encryption
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/ukey2
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/wicked-good-xpath
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/woff2
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/wuffs-mirror-release-c
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/xnnpack
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-status
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-statusFailed
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inspect-js/is-core-module
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inspect-js/is-core-module.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inspect-js/node-supports-preserve-symlinks-flag#readme
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inspect-js/node-supports-preserve-symlinks-flag.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/intel/libva
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/101)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/102)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/105)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/106
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/99)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/labels/wg-agenda
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068737927
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068738228
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068738548
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068742592
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639071916
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639072106
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639072371
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639072571
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jonschlinkert)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jprichardson/node-fs-extra
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jrmuizel/qcms/tree/v4
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lgeiger/node-abi/issues/54
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1088
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ljharb)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2375843554.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2375843554.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-fs
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-fs.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-stream
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-stream.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mcollina/reusify#readme
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mcollina/reusify.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/micromatch/to-regex-range
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mikeal/tunnel-agent
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/TSC/blob/master/Moderation-Policy.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/blob/master/CODE_OF_CONDUCT.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/blob/v10.8.0/lib/internal/errors.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/8871#issuecomment-250915913
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/8987
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35407#issuecomment-700693439
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/string_decoder
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/normalize/mz
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/cli/blob/4c65cd952bc8627811735bea76b9b110cc4fc80e/lib/utils/ansi-trim.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-semver.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-tar/blob/51b6627a1f357d2eb433e7378e5f05e83b7aa6cd/lib/header.js#L349
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/wrappy
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/patrickhulce/third-party-web
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/prebuild/prebuild-install
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/prebuild/prebuild-install.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/protocolbuffers/protobuf-javascript
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/protocolbuffers/protobuf/blob/master/java/lite.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/puppeteer/puppeteer/tree/main/packages/puppeteer-core
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sass/node-sass/issues/1589#issuecomment-265292579
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/simplejson/simplejson
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sindresorhus/make-dir
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sindresorhus/os-homedir/blob/11e089f4754db38bb535e5a8416320c4446e8cfd/index.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/broofa
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/ctavan
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/feross
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/ljharb
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/models
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/tensorflow
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/text.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/tflite-support
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/test262-utils/test262-harness-py
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/troygoode/node-require-directory/
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/uuidjs/uuid#getrandomvalues-not-supported
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/uuidjs/uuid.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/v8/v8/blob/6.0.122/test/mjsunit/fast-prototype.js#L48-L63
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068735040
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068735307
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068735697
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068736093
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068736404
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638965835
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638965968
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638966056
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638966247
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638966552
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615021
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615173
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615423
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615557
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615807
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/888438143
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/888438190
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/888438236
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/918633749
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/releases/download/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4805
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4805Custom
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/gamepad/pull/120
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/gamepad/pull/120Access
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-features
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-featuresDeviceOri
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wasdk/wasmparser
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws/issues/1202
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws/issues/1869.
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws/issues/1940.
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/xiph/rnnoise
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/y18n
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/yargs#supported-nodejs-versions
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/yargs-parser#supported-nodejs-versions
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/yargs-parser.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/yargs.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zeux/volk
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zorkow/speech-rule-user
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.freedesktop.org/xorg/proto/xproto/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/7K7WLu
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/7K7WLuThe
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/7K7WLuWebAudio.AutoplayWebAudio.Autoplay.CrossOriginWebAudio.Autoplay.UnlockType..
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22Media
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22RemoveElementFromDocumentMapit
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/xX8pDD
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/xX8pDDplay()
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/ximf56
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/ximf56Iframe
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gle/chrome-insecure-origins
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-analytics.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://googlevideo.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gvt1.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gvt2.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gvt6.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hackerone.com/reports/541502
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsURLParsers.cpp
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/canvas.html#concept-canvas-will-read-frequently
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/comms.html#the-websocket-interface
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://medium.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodei.co/npm/require-directory.png?downloads=true&stars=true)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodei.co/npm/require-directory/)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2375843554.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://npmjs.org/package/require-directory))
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://opensource.apple.com/source/xnu/
Source: cMqyGFCQHk.exe, 00000000.00000003.2449217643.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.com
Source: cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comAkun
Source: cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comConta
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449380697.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448748666.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448359715.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449882670.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449000858.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle
Source: cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle-accountOpgeslagen
Source: cMqyGFCQHk.exe, 00000000.00000003.2450380398.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comKonta
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://polymer-library.polymer-project.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/pyparsing
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/six/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.python.org/pypi/pyfakefs
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.python.org/pypi/webapp2
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://quiche.googlesource.com/quiche
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://redux.js.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://secure.travis-ci.org/troygoode/node-require-directory.png)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://semver.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shorturl.at/drFY7)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sindresorhus.com
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sindresorhus.com)
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/site/gaviotachessuser/Home/endgame-tablebases-1
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sizzlejs.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://skia.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://source.chromium.org/chromium/chromium/src/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://source.corp.google.com/piper///depot/google3/third_party/tamachiyomi/README.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sourceforge.net/projects/wtl/files/WTL%2010/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448875642.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449217643.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448162228.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449380697.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449616067.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448748666.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449751499.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448359715.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449000858.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448875642.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449217643.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450380398.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448162228.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449380697.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449616067.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448748666.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449751499.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448359715.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449000858.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://swiftshader.googlesource.com/SwiftShader
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/security
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/security).
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-9.1
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tukaani.org/xz/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tukaani.org/xz/>.
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/intent/user?screen_name=troygoode)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://unpkg.com/cliui
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://unpkg.com/yargs-parser
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://v8.dev/
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/aria/#aria-hidden.
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/aria/#aria-hidden.Blocked
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/aria/#namefromprohibited.
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/uievents/#legacy-event-types)
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webkit.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/4664843055398912
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5738264052891648
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5738264052891648Renderer.Font.PrimaryFont.FCPRenderer.Font.Prim
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromium.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cl.cam.ac.uk/%7Emgk25/ucs/utf8_check.c
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.khronos.org/registry/
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.khronos.org/spir/visualizer/
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.npmjs.com/package/wrap-ansi
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.opensource.org/licenses/bsd-license.php)
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.patreon.com/feross
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.unicode.org/copyright.html.
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/.
Source: cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yargs.js.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://zod.dev

Source: cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_1d1e5bb2-5

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File dump: Teams.exe.0.dr 188819968			Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File dump: Teams.exe0.0.dr 188819968			Jump to dropped file

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Process token adjusted: Security

Jump to behavior

Source: cMqyGFCQHk.exe

Static PE information: invalid certificate

Source: Teams.exe0.0.dr	Static PE information: Number of sections : 15 > 10
Source: Teams.exe.0.dr	Static PE information: Number of sections : 15 > 10

Source: cMqyGFCQHk.exe, 00000000.00000003.2265795013.0000000005F16000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dllb! vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dllb! vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2390610484.00000000047BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2447177094.00000000047BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevk_swiftshader.dll, vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2402682137.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename, vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2375843554.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevk_swiftshader.dll, vs cMqyGFCQHk.exe

Source: cMqyGFCQHk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.spre.winEXE@28/107@0/0

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Mutant created: \Sessions\1\BaseNamedObjects\mfx_d3d_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2184:120:WilError_03
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Mutant created: \Sessions\1\BaseNamedObjects\8013f783-e1a2-5f53-80da-b1ad483bd59f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:340:120:WilError_03

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

File created: C:\Users\user\AppData\Local\Temp\nsqC4C.tmp

Jump to behavior

Source: cMqyGFCQHk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TEAMS.EXE'

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SELECT name FROM sqlite_master WHERE type='table';

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

File read: C:\Users\user\Desktop\cMqyGFCQHk.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cMqyGFCQHk.exe "C:\Users\user\Desktop\cMqyGFCQHk.exe"
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Teams.exe" /FO csv \| "C:\Windows\system32\find.exe" "Teams.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "Teams.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe"
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1708,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1700 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2576,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe"
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1808,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1800 /prefetch:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2424,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Teams.exe" /FO csv \| "C:\Windows\system32\find.exe" "Teams.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "Teams.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1708,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1700 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2576,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1808,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1800 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2424,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: npmproxy.dll	Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv

Source: MyElectronApp.lnk.14.dr

LNK file: ..\..\..\..\..\..\Local\Programs\Teams\Teams.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8013f783-e1a2-5f53-80da-b1ad483bd59f

Jump to behavior

Source: cMqyGFCQHk.exe

Static file information: File size 86797392 > 1048576

Source: cMqyGFCQHk.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ffmpeg.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2392381415.00000000047BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2390610484.00000000047BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vulkan-1.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2368310453.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2374409262.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2368094273.0000000002D20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdbGCTL source: cMqyGFCQHk.exe, 00000000.00000003.2390610484.00000000047BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: electron.exe.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vk_swiftshader.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2447177094.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2375843554.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp

Source: vk_swiftshader.dll.0.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll.0.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.0.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.0.dr	Static PE information: section name: _RDATA
Source: ffmpeg.dll.0.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll.0.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll.0.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.0.dr	Static PE information: section name: .gxfg
Source: libEGL.dll.0.dr	Static PE information: section name: .retplne
Source: libEGL.dll.0.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll.0.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll.0.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll.0.dr	Static PE information: section name: _RDATA
Source: ffmpeg.dll0.0.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll0.0.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll0.0.dr	Static PE information: section name: _RDATA
Source: libEGL.dll0.0.dr	Static PE information: section name: .gxfg
Source: libEGL.dll0.0.dr	Static PE information: section name: .retplne
Source: libEGL.dll0.0.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll0.0.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll0.0.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll0.0.dr	Static PE information: section name: _RDATA
Source: fastlist-0.3.0-x64.exe.0.dr	Static PE information: section name: _RDATA
Source: Teams.exe.0.dr	Static PE information: section name: .gxfg
Source: Teams.exe.0.dr	Static PE information: section name: .retplne
Source: Teams.exe.0.dr	Static PE information: section name: .rodata
Source: Teams.exe.0.dr	Static PE information: section name: CPADinfo
Source: Teams.exe.0.dr	Static PE information: section name: LZMADEC
Source: Teams.exe.0.dr	Static PE information: section name: _RDATA
Source: Teams.exe.0.dr	Static PE information: section name: malloc_h
Source: Teams.exe.0.dr	Static PE information: section name: prot
Source: Teams.exe0.0.dr	Static PE information: section name: .gxfg
Source: Teams.exe0.0.dr	Static PE information: section name: .retplne
Source: Teams.exe0.0.dr	Static PE information: section name: .rodata
Source: Teams.exe0.0.dr	Static PE information: section name: CPADinfo
Source: Teams.exe0.0.dr	Static PE information: section name: LZMADEC
Source: Teams.exe0.0.dr	Static PE information: section name: _RDATA
Source: Teams.exe0.0.dr	Static PE information: section name: malloc_h
Source: Teams.exe0.0.dr	Static PE information: section name: prot

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\Teams.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\StdUtils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\SpiderBanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\nsExec.dll	Jump to dropped file

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\LICENSE.electron.txt			Jump to behavior

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = ''# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = ''# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = ''# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = ''# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4414	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2732	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3013
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1596

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Teams\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\StdUtils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Teams\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\SpiderBanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\nsExec.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7076	Thread sleep count: 4414 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7076	Thread sleep count: 2732 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3976	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812	Thread sleep count: 3013 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2064	Thread sleep count: 1596 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6852	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4368	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\locales	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources	Jump to behavior

Source: cMqyGFCQHk.exe, 00000000.00000003.2449983631.0000000004310000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: bCK1sK9IRQq9qEmUv4RDsNuESgMjGWdqb8FuvAY5N9GIIvejQjBAMA8GA1UdEwEB/wQFMAMB
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (IsLinux() && isVMWare) \|\| (IsAndroid() && isNvidia) \|\| (IsAndroid() && GetAndroidSDKVersion() < 27 && IsAdreno5xxOrOlder(functions)) \|\| (!isMesa && IsMaliT8xxOrOlder(functions)) \|\| (!isMesa && IsMaliG31OrOlder(functions))
Source: cMqyGFCQHk.exe, 00000000.00000003.2449947151.000000000432A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}3
Source: cMqyGFCQHk.exe, 00000000.00000003.2392381415.00000000047BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tgaR
Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: cMqyGFCQHk.exe, 00000000.00000003.2392381415.00000000047BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Screen Codec / VMware Video
Source: cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ZAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTestp

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Teams.exe" /FO csv \| "C:\Windows\system32\find.exe" "Teams.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "Teams.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1708,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1700 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2576,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1808,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1800 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2424,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "c:\users\user\appdata\local\programs\teams\teams.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\teams" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1708,i,13854425415668292357,6166449907864565243,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1700 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell "$s=(new-object -com wscript.shell).createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\myelectronapp.lnk');$s.targetpath='c:\users\user\appdata\local\programs\teams\teams.exe';$s.save()""
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "c:\users\user\appdata\local\programs\teams\teams.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\teams" --field-trial-handle=2576,i,13854425415668292357,6166449907864565243,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:3
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell "$s=(new-object -com wscript.shell).createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\myelectronapp.lnk');$s.targetpath='c:\users\user\appdata\local\programs\teams\teams.exe';$s.save()""
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "c:\users\user\appdata\local\programs\teams\teams.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\teams" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1808,i,11489529828536578193,12839987917968536577,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1800 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "c:\users\user\appdata\local\programs\teams\teams.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\teams" --field-trial-handle=2424,i,11489529828536578193,12839987917968536577,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "c:\users\user\appdata\local\programs\teams\teams.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\teams" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1708,i,13854425415668292357,6166449907864565243,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1700 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell "$s=(new-object -com wscript.shell).createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\myelectronapp.lnk');$s.targetpath='c:\users\user\appdata\local\programs\teams\teams.exe';$s.save()""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "c:\users\user\appdata\local\programs\teams\teams.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\teams" --field-trial-handle=2576,i,13854425415668292357,6166449907864565243,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:3	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell "$s=(new-object -com wscript.shell).createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\myelectronapp.lnk');$s.targetpath='c:\users\user\appdata\local\programs\teams\teams.exe';$s.save()""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "c:\users\user\appdata\local\programs\teams\teams.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\teams" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1808,i,11489529828536578193,12839987917968536577,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1800 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "c:\users\user\appdata\local\programs\teams\teams.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\teams" --field-trial-handle=2424,i,11489529828536578193,12839987917968536577,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3	Jump to behavior

Source: cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: ..\..\third_party\webrtc\modules\desktop_capture\win\window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_Progman..\..\third_party\webrtc\modules\desktop_capture\cropping_window_capturer.ccWindow no longer on top when ScreenCapturer finishesScreenCapturer failed to capture a frameWindow rect is emptyWindow is outside of the captured displaySysShadowWebRTC.DesktopCapture.Win.WindowGdiCapturerFrameTime..\..\third_party\webrtc\modules\desktop_capture\win\window_capturer_win_gdi.ccWindow hasn't been selected: Target window has been closed.Failed to get drawable window area: Failed to get window DC: Failed to create frame.Both PrintWindow() and BitBlt() failed.Capturing owned window failed (previous error/warning pertained to that)WindowCapturerWinGdi::CaptureFrameWebRTC.DesktopCapture.BlankFrameDetectedWebRTC.DesktopCapture.PrimaryCapturerSelectSourceErrorWebRTC.DesktopCapture.PrimaryCapturerErrorWebRTC.DesktopCapture.PrimaryCapturerPermanentErrordwmapi.dllDwmEnableComposition..\..\third_party\webrtc\modules\desktop_capture\win\screen_capturer_win_gdi.ccFailed to capture screen by GDI.WebRTC.DesktopCapture.Win.ScreenGdiCapturerFrameTimedesktop_dc_memory_dc_Failed to get screen rect.Failed to create frame buffer.Failed to select current bitmap into memery dc.BitBlt failedScreenCapturerWinGdi::CaptureFrame..\..\third_party\webrtc\modules\desktop_capture\win\cursor.ccwebrtc::CreateMouseCursorFromHCursorUnable to get cursor icon info. Error = Unable to get bitmap info. Error = Unable to get bitmap bits. Error = `

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Local\Programs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Local\Programs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\Teams VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\Teams\resources VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams\config.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams\config.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Masquerading	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	12 Registry Run Keys / Startup Folder	12 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	3 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	12 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Teams\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Teams\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Teams\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\Teams.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x86.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\resources\elevate.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\SpiderBanner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\StdUtils.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\nsis7z.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://w3c.github.io/aria/#namefromprohibited.	0%	Avira URL Cloud	safe
https://anglebug.com/42266740	0%	Avira URL Cloud	safe
https://anglebug.com/42266745	0%	Avira URL Cloud	safe
https://yargs.js.org/	0%	Avira URL Cloud	safe
https://secure.travis-ci.org/troygoode/node-require-directory.png)	0%	Avira URL Cloud	safe
https://anglebug.com/42265782	0%	Avira URL Cloud	safe
http://anglebug.com/42263031	0%	Avira URL Cloud	safe
https://anglebug.com/42266748	0%	Avira URL Cloud	safe
http://anglebug.com/40096661	0%	Avira URL Cloud	safe
https://nodei.co/npm/require-directory/)	0%	Avira URL Cloud	safe
http://anglebug.com/40096454	0%	Avira URL Cloud	safe
https://tukaani.org/xz/>.	0%	Avira URL Cloud	safe
https://anglebug.com/42265877	0%	Avira URL Cloud	safe
https://w3c.github.io/aria/#aria-hidden.	0%	Avira URL Cloud	safe
http://fresc81.github.io/node-winreg	0%	Avira URL Cloud	safe
http://anglebug.com/40644663	0%	Avira URL Cloud	safe
http://anglebug.com/42264008	0%	Avira URL Cloud	safe
http://anglebug.com/42262247	0%	Avira URL Cloud	safe
http://anglebug.com/40096758	0%	Avira URL Cloud	safe
http://anglebug.com/42265995	0%	Avira URL Cloud	safe
http://anglebug.com/42261924allowClearForRobustResourceInitSome	0%	Avira URL Cloud	safe
http://anglebug.com/40096643	0%	Avira URL Cloud	safe
http://anglebug.com/42266610	0%	Avira URL Cloud	safe
http://anglebug.com/40096648	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/lgeiger/node-abi/issues/54	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/mcollina/reusify#readme	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://url.spec.whatwg.org/#concept-url-origin	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-status	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/simplejson/simplejson	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6098869	cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448875642.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449217643.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450380398.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448162228.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449380697.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449616067.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448748666.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449751499.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448359715.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449000858.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/40096661	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/prebuild/prebuild-install	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/vercel/pkg-fetch/actions/runs/2638965835	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/jesec/pkg-fetch/actions/runs/2639072106	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/feross/queue-microtask	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/string_decoder	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://goo.gl/7K7WLuThe	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crbug.com/1356053	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://secure.travis-ci.org/troygoode/node-require-directory.png)	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://goo.gl/7K7WLu	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u	cMqyGFCQHk.exe, 00000000.00000003.2450380398.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.patreon.com/feross	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://goo.gl/t5IS6M).	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crbug.com/110263	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/vercel/pkg-fetch/actions/runs/2638965968	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://anglebug.com/42265782	cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yargs.js.org/	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://semver.org/	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/google/pprof/tree/master/proto	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/jrmuizel/qcms/tree/v4	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://npmjs.org/package/require-directory))	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromium.googlesource.com/chromium/src/	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://w3c.github.io/aria/#namefromprohibited.	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bit.ly/3rpDuEX.	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crbug.com/593024	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://anglebug.com/42266748	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/tensorflow/models	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://anglebug.com/42266745	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://c.docs.google.com/	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/KhronosGroup/SPIRV-Headers.git	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://anglebug.com/42266740	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/42263031	cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nodei.co/npm/require-directory/)	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crbug.com/1300575	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crbug.com/710443	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/tflite-support	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/WICG/scheduling-apis	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/42264008	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pypi.org/project/pyparsing	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sqlite.org/	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=id&category=theme81https://myactivity.google.com/myactivity/?u	cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://code.google.com/p/v8/wiki/JavaScriptStackTraceApi	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crbug.com/1060012	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://code.google.com/p/chromium/issues/detail?id=25916	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.opensource.org/licenses/mit-license.php)	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://stackoverflow.com/a/1068308/13216	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/jesec/pkg-fetch/actions/runs/2639072371	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crbug.com/642605	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://twitter.com/intent/user?screen_name=troygoode)	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/40096454	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-statusFailed	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/libuv/libuv/pull/1088	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tukaani.org/xz/>.	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fresc81.github.io/node-winreg	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sizzlejs.com/	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/40644663	cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crbug.com/650547callClearTwiceUsing	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://medium.com/	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://html4/loose.dtd	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crbug.com/1420130	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.portaudio.com	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://beacons.gcp.gvt2.com/domainreliability/upload	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2379407887.0000000006973000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/inspect-js/node-supports-preserve-symlinks-flag.git	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/vercel/pkg-fetch/actions/runs/2068735040	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://anglebug.com/42265877	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/vercel/pkg-fetch/actions/runs/752615557	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/RyanZim/universalify.git	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://w3c.github.io/aria/#aria-hidden.	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://developer.chrome.com/docs/extensions/mv3/cross-origin-isolation/.	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/google/shell-encryption	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/42265995	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/wasdk/wasmparser	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/42262247	cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://unpkg.com/cliui	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/dpranke/typ.git	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/issues/8987	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/vercel/pkg-fetch/actions/runs/752615423	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	cMqyGFCQHk.exe, 00000000.00000003.2448284804.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450196344.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448461981.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450504066.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2450088927.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2448658210.00000000055B1000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2449882670.00000000055B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/40096758	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/42261924allowClearForRobustResourceInitSome	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.khronos.org/registry/	cMqyGFCQHk.exe, 00000000.00000003.2397805375.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2239552581.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/42266610	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/sponsors/feross	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://.jpg	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006788000.00000004.00001000.00020000.00000000.sdmp	false		high
https://xhr.spec.whatwg.org/.	cMqyGFCQHk.exe, 00000000.00000003.2377337373.0000000006430000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/40096643	cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.khronos.org/spir/visualizer/	cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/40096648	cMqyGFCQHk.exe, 00000000.00000003.2395639006.00000000047B2000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2270843207.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sindresorhus.com	cMqyGFCQHk.exe, 00000000.00000003.2259845772.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556006
Start date and time:	2024-11-14 19:44:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cMqyGFCQHk.exe renamed because original name is a hash value
Original Sample Name:	3c3f458400c557d279c4d4993f67adc8ba3da4bad8fc844adfef8c7de475a1f7.exe
Detection:	MAL
Classification:	mal60.spre.winEXE@28/107@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: cMqyGFCQHk.exe

Simulations

Behavior and APIs

Time	Type	Description
13:45:25	API Interceptor	21x Sleep call for process: cMqyGFCQHk.exe modified
13:45:45	API Interceptor	14x Sleep call for process: powershell.exe modified
19:45:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll	Soltix.exe	Get hash	malicious	Unknown	Browse
	Soltix.exe	Get hash	malicious	Unknown	Browse
	Prismifyr_Installer_v2.1 Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Prismifyr_Installer_v2.1 Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Prismifyr_Installer_v2.1 Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Prismifyr_Installer_v2.1 Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	svchost.exe	Get hash	malicious	Unknown	Browse
	JaborSetup.exe	Get hash	malicious	Unknown	Browse
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

Process:	C:\Users\user\Desktop\cMqyGFCQHk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	5.13006727705212
Encrypted:	false
SSDEEP:	24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
MD5:	4D42118D35941E0F664DDDBD83F633C5
SHA1:	2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
SHA-256:	5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
SHA-512:	3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
Malicious:	false
Preview:	Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999770167797606
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cMqyGFCQHk.exe
File size:	86'797'392 bytes
MD5:	b408e3da98f0e457d627510165374ddd
SHA1:	49de055d881896670ce8b1ba1633d5f8b4f8e193
SHA256:	3c3f458400c557d279c4d4993f67adc8ba3da4bad8fc844adfef8c7de475a1f7
SHA512:	3a092bd3ec86a4793a94b0e7b0dd50f50a1b9ea6c65b0628e912b7df967e267b236dbbee6b7d4fbc9deed6c5bc879ec5c2ee5f7bfe9460ec75121ebdfe7a4a73
SSDEEP:	1572864:4k2/ebAbWsL+/5FLl9Noabh+XJhXhQiB1dJdYVkq7U4hmfiGWk:4G0bu5hl9OOh01VJY+qw0uiTk
TLSH:	5E1833980792C262D3E414B8E5F363FB31027E1A8B351A993124B6DCF6271DA15B58FF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@.

Entrypoint:	0x40338f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F86 [Sat Dec 15 22:26:14 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	15/10/2024 20:29:09 16/10/2025 20:29:09
Subject Chain	CN="Lion Software, LLC", O="Lion Software, LLC", STREET=60 County Road 537, L=Centre, S=Alabama, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=Alabama, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=000-541-240, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	AC575FB5F87D72747656ED9FFBAEB0DA
Thumbprint SHA-1:	A243692CD9205CFE32BEEF144B7D84350F3AA0E6
Thumbprint SHA-256:	482DFF658DB3FF3B08ED60A99B5434DE6E8CF3F1DCB782831AA0B22978F7C49D
Serial:	1AF0A44396DD57AC87ECB79D

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19f000	0x2c4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x52c5a28	0x1228
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6627	0x6800	7618d4c0cd8bb67ea9595b4266b3a91f	False	0.6646259014423077	data	6.450282348506287	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a2	0x1600	eecac1fed9cc6b447d50940d178404d8	False	0.4405184659090909	data	5.025178929113415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x70ff8	0x600	db8f31a08a2242d80c29e1f9500c6527	False	0.5182291666666666	data	4.037117731448378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7b000	0x124000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x19f000	0x2c4d8	0x2c600	17ecf0cb331acf3e0aa34f7130f91d58	False	0.20090779049295773	data	4.330797014530664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19f7d8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.10857683413916334
RT_ICON	0x1a8c80	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	United States	0.11736842105263158
RT_ICON	0x1af468	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.1307301293900185
RT_ICON	0x1b48f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.1379900803023146
RT_ICON	0x1b8b18	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14880	English	United States	0.14711796246648792
RT_ICON	0x1bc560	0x3524	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9886062922669803
RT_ICON	0x1bfa88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.18443983402489628
RT_ICON	0x1c2030	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	United States	0.20310650887573964
RT_ICON	0x1c3a98	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.24876586741889986
RT_ICON	0x1c50c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.08864915572232646
RT_ICON	0x1c6168	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.298773987206823
RT_ICON	0x1c7010	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.125
RT_ICON	0x1c7998	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.1565884476534296
RT_ICON	0x1c8240	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	United States	0.13895348837209304
RT_ICON	0x1c88f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.16329479768786126
RT_ICON	0x1c8e60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.17819148936170212
RT_ICON	0x1c92c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.3064516129032258
RT_ICON	0x1c95b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.48986486486486486
RT_DIALOG	0x1c96d8	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x1c98e0	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x1c99d8	0xee	data	English	United States	0.6260504201680672
RT_DIALOG	0x1c9ac8	0x1fa	data	English	United States	0.40118577075098816
RT_DIALOG	0x1c9cc8	0xf0	data	English	United States	0.6666666666666666
RT_DIALOG	0x1c9db8	0xe6	data	English	United States	0.6565217391304348
RT_DIALOG	0x1c9ea0	0x1ee	data	English	United States	0.38866396761133604
RT_DIALOG	0x1ca090	0xe4	data	English	United States	0.6447368421052632
RT_DIALOG	0x1ca178	0xda	data	English	United States	0.6422018348623854
RT_DIALOG	0x1ca258	0x1ee	data	English	United States	0.3866396761133603
RT_DIALOG	0x1ca448	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0x1ca530	0xda	data	English	United States	0.6376146788990825
RT_DIALOG	0x1ca610	0x1f2	data	English	United States	0.39759036144578314
RT_DIALOG	0x1ca808	0xe8	data	English	United States	0.6508620689655172
RT_DIALOG	0x1ca8f0	0xde	data	English	United States	0.6486486486486487
RT_DIALOG	0x1ca9d0	0x202	data	English	United States	0.42217898832684825
RT_DIALOG	0x1cabd8	0xf8	data	English	United States	0.6653225806451613
RT_DIALOG	0x1cacd0	0xee	data	English	United States	0.6512605042016807
RT_GROUP_ICON	0x1cadc0	0x102	data	English	United States	0.627906976744186
RT_VERSION	0x1caec8	0x1e4	data	English	United States	0.49793388429752067
RT_MANIFEST	0x1cb0b0	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Target ID:	0
Start time:	13:45:09
Start date:	14/11/2024
Path:	C:\Users\user\Desktop\cMqyGFCQHk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cMqyGFCQHk.exe"
Imagebase:	0x400000
File size:	86'797'392 bytes
MD5 hash:	B408E3DA98F0E457D627510165374DDD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	13:45:11
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Teams.exe" /FO csv \| "C:\Windows\system32\find.exe" "Teams.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	13:45:40
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe"
Imagebase:	0x7ff7ef5e0000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	11
Start time:	13:45:43
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1708,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1700 /prefetch:2
Imagebase:	0x7ff7ef5e0000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	12
Start time:	13:45:42
Start date:	14/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""
Imagebase:	0x7ff72eb40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	13:45:46
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2576,i,13854425415668292357,6166449907864565243,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:3
Imagebase:	0x7ff7ef5e0000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	18
Start time:	13:45:58
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe"
Imagebase:	0x7ff7ef5e0000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	20
Start time:	13:45:59
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1808,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1800 /prefetch:2
Imagebase:	0x7ff7ef5e0000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	23
Start time:	13:46:01
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2424,i,11489529828536578193,12839987917968536577,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3
Imagebase:	0x7ff7ef5e0000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cMqyGFCQHk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Programs\Teams\LICENSE.electron.txt

C:\Users\user\AppData\Local\Programs\Teams\LICENSES.chromium.html

C:\Users\user\AppData\Local\Programs\Teams\Teams.exe

C:\Users\user\AppData\Local\Programs\Teams\chrome_100_percent.pak

C:\Users\user\AppData\Local\Programs\Teams\chrome_200_percent.pak

C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll

C:\Users\user\AppData\Local\Programs\Teams\ffmpeg.dll

C:\Users\user\AppData\Local\Programs\Teams\icudtl.dat

C:\Users\user\AppData\Local\Programs\Teams\libEGL.dll

C:\Users\user\AppData\Local\Programs\Teams\libGLESv2.dll

C:\Users\user\AppData\Local\Programs\Teams\resources.pak

C:\Users\user\AppData\Local\Programs\Teams\snapshot_blob.bin

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkkv1ur1.rj4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpp0s5ix.o1t.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ji1uvzij.pud.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjbezpvp.4uw.ps1

C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\LICENSE.electron.txt

C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\LICENSES.chromium.html

C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\Teams.exe

C:\Users\user\AppData\Local\Temp\nsrDD4.tmp\7z-out\chrome_100_percent.pak

Windows Analysis Report
cMqyGFCQHk.exe

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre