Edit tour

Windows Analysis Report
cMqyGFCQHk.exe

Overview

General Information

Sample name:	cMqyGFCQHk.exe renamed because original name is a hash value
Original sample name:	3c3f458400c557d279c4d4993f67adc8ba3da4bad8fc844adfef8c7de475a1f7.exe
Analysis ID:	1556006
MD5:	b408e3da98f0e457d627510165374ddd
SHA1:	49de055d881896670ce8b1ba1633d5f8b4f8e193
SHA256:	3c3f458400c557d279c4d4993f67adc8ba3da4bad8fc844adfef8c7de475a1f7
Tags:	exeLionSoftwareLLCuser-JAMESWT_MHT
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Powershell create lnk in startup

Drops large PE files

Powershell creates an autostart link

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Electron Application Child Processes

Stores files to the Windows start menu directory

Uses 32bit PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cMqyGFCQHk.exe (PID: 5476 cmdline: "C:\Users\user\Desktop\cMqyGFCQHk.exe" MD5: B408E3DA98F0E457D627510165374DDD)

cmd.exe (PID: 3212 cmdline: "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Teams.exe" /FO csv | "C:\Windows\system32\find.exe" "Teams.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 356 cmdline: tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)

find.exe (PID: 4032 cmdline: "C:\Windows\system32\find.exe" "Teams.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

Teams.exe (PID: 7128 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" MD5: 102326801694C938E466C8D96E4200BD)

cmd.exe (PID: 776 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2896 cmdline: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)

Teams.exe (PID: 6448 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1804,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1796 /prefetch:2 MD5: 102326801694C938E466C8D96E4200BD)

Teams.exe (PID: 4148 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2464,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:3 MD5: 102326801694C938E466C8D96E4200BD)

Teams.exe (PID: 3080 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2548,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:8 MD5: 102326801694C938E466C8D96E4200BD)

Teams.exe (PID: 5544 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" MD5: 102326801694C938E466C8D96E4200BD)

Teams.exe (PID: 7072 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1704,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1696 /prefetch:2 MD5: 102326801694C938E466C8D96E4200BD)

cmd.exe (PID: 4176 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4020 cmdline: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)

Teams.exe (PID: 6900 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2428,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3 MD5: 102326801694C938E466C8D96E4200BD)

Teams.exe (PID: 4000 cmdline: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1200,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2484 /prefetch:8 MD5: 102326801694C938E466C8D96E4200BD)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Source: File created

Author: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Sigma detected: Suspicious Electron Application Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe, ParentProcessId: 7128, ParentProcessName: Teams.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", ProcessId: 776, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()", CommandLine: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 776, ParentProcessName: cmd.exe, ProcessCommandLine: powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()", ProcessId: 2896, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Powershell create lnk in startup

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe, ParentProcessId: 7128, ParentProcessName: Teams.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"", ProcessId: 776, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: cMqyGFCQHk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8013f783-e1a2-5f53-80da-b1ad483bd59f

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\LICENSE.electron.txt			Jump to behavior

Source: cMqyGFCQHk.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ffmpeg.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2411113268.000000000519B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2409838844.000000000519E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2415397263.0000000004C34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\test\x64\Release\test.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2483412748.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vulkan-1.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2406041139.00000000066F0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2402713940.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2402317830.0000000005330000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\dev\test\Release\test.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2483647992.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdbGCTL source: cMqyGFCQHk.exe, 00000000.00000003.2409838844.000000000519E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: electron.exe.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: <C:\dev\test\x64\Release\test.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2483412748.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2416602923.0000000005190000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2317642252.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vk_swiftshader.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2477515999.000000000519A000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\locales	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked	Jump to behavior

Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: * **Google Hangouts Video**: http://www.youtube.com/watch?v=I9nDOSGfwZg equals www.youtube.com (Youtube)

Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://2x.io)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://blog.izs.me/)
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository100.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/python-gflags/
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/smhasher/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gds1-20
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/common
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/commonnode-set..
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://feross.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fresc81.github.io/node-winreg
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/troygoode/)
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.github.io/snappy/
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icl.com/saxon
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icl.com/saxonorg.apache.xalan.xslt.extensions.RedirectxsltDocumentElem:
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://n8.io/)
Source: cMqyGFCQHk.exe, 00000000.00000002.2527514411.000000000040A000.00000004.00000001.01000000.00000003.sdmp, cMqyGFCQHk.exe, 00000000.00000000.2217681375.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0J
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.perlig.de/rjsmin/
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s..
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/1068308/13216
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://substack.net
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://travis-ci.org/troygoode/node-require-directory)
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.futurealoof.com)
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gutenberg.org/ebooks/53).
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jclark.com/xt
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/bsd-license.php
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php)
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pertinentdetail.org/sqrt
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ploscompbiol.org/static/license
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.polymer-project.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.portaudio.com
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.softsynth.com
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=I9nDOSGfwZg
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/namespace
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/namespacehttp://www.jclark.com/xtxsl:key
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/xsltNewExtDef
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://%s:%d/.well-known/masque/udp/%s/%d/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://%s:%d/.well-known/masque/udp/%s/%d/Net.QuicStreamFactory.DefaultNetworkMatchNet.QuicSession.
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://android.com/pay
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.googlesource.com/platform/external/puffin
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/uploadhttps://beacons.gvt2.com/domainreliability/uplo
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/audio-worklet)
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/audio-worklet)..
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.htmlMixed
Source: cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
Source: cMqyGFCQHk.exe, 00000000.00000003.2479386329.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=hu&category=theme81https://myactivity.google.com/myactivity/?u
Source: cMqyGFCQHk.exe, 00000000.00000003.2480625633.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u
Source: cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/feature/5105856067141632.
Source: cMqyGFCQHk.exe, 00000000.00000003.2479386329.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2480625633.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2481468216.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2477975318.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478464913.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/chromium/src/
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/domainreliability/upload
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/v8/wiki/JavaScriptStackTraceApi
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1038223.
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1144908
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1144908.
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1144908.The
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1144908Changing
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1429681
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/927119
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/927119Blink.Script.SchedulingTypeScriptLoader
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/981419
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/v8/7848
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by/3.0/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-handling.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/blog/enabling-shared-array-buffer/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/cross-origin-isolation/.
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/service_workers/events/
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/service_workers/events/Script
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/includes
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/17aTgLnjMXIrfjgNaTUnHQO7m3xgzHR2VXBTmi03Qii4/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#dom-event-stopimmediatepropagation
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-abortcontroller
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-eventtarget
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://domenic.me/)
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-flush
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://example.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://example.orgExpired
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://feross.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://feross.org/opensource
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://feross.org/support
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-method
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#headers-class
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#request-class
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#response-class
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ChromeDevTools/devtools-frontend/blob/4275917f84266ef40613db3c1784a25f902ea74e/fr
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Maratyszcza/pthreadpool
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Nicoshev/rapidhash
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Nicoshev/rapidhash/blob/master/rapidhash.h
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/PortAudio/portaudio/tree/master/src/common
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ReactiveX/rxjs
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/RyanZim/universalify#readme
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/RyanZim/universalify.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/STRML/async-limiter
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Sebmaster/tr46.js#readme
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Sebmaster/tr46.js.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/SeleniumHQ/selenium/tree/trunk
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/TooTallNate/util-deprecate
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/TroyGoode)
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.border-boxcontent-bo
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/shared-element-transitions/blob/main/debugging_overflow_on_images.md.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/view-transitions/blob/main/debugging_overflow_on_images.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WebBluetoothCG/web-bluetooth/blob/main/implementation-status.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/brailcom/speechd
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/brycebaril/node-stream-meter.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/supports-color
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/wrap-ansi?sponsor=1
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/conventional-changelog/standard-version):
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/denoland/deno
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/denoland/deno/blob/main/LICENSE.md.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/denoland/deno/blob/v1.29.1/ext/crypto/00_crypto.js#L195
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dominictarr/rc.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/etingof/pyasn1
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/queue-microtask
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/run-parallel
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/safe-buffer
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/simple-concat
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/simple-get
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fresc81/node-winreg
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/pprof/tree/master/proto
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/private-join-and-compute
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/protobuf
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/re2
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/securemessage
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/sentencepiece
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/shell-encryption
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/heycam/webidl/pull/946.
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inspect-js/is-core-module
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inspect-js/is-core-module.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inspect-js/is-date-object/blob/main/index.js#L3-L11
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inspect-js/node-supports-preserve-symlinks-flag#readme
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inspect-js/node-supports-preserve-symlinks-flag.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/intel/libva
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/101)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/102)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/105)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/106
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/issues/99)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iojs/readable-stream/labels/wg-agenda
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/color-support.
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068737927
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068738228
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068738548
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2068742592
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639071916
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639072106
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639072371
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jesec/pkg-fetch/actions/runs/2639072571
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jonschlinkert)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jprichardson/node-fs-extra
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jrmuizel/qcms/tree/v4
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jsdom/webidl-conversions
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jsdom/webidl-conversions/blob/master/LICENSE.md.
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lgeiger/node-abi/issues/54
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1088
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/2025.
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ljharb)
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-fs
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-fs.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-stream
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-stream.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mcollina/reusify#readme
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mcollina/reusify.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/micromatch/to-regex-range
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mikeal/tunnel-agent
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/TSC/blob/master/Moderation-Policy.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/blob/master/CODE_OF_CONDUCT.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/blob/v10.8.0/lib/internal/errors.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35452
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39707
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/44985
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/49472
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/51486
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/52219
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/8871#issuecomment-250915913
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/8987
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35407#issuecomment-700693439
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/43714
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46161
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/48477#issuecomment-1604586650
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/49891#issuecomment-1744673430.
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/string_decoder
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/normalize/mz
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/cli/blob/4c65cd952bc8627811735bea76b9b110cc4fc80e/lib/utils/ansi-trim.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-semver.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-tar/blob/51b6627a1f357d2eb433e7378e5f05e83b7aa6cd/lib/header.js#L349
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/wrappy
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/prebuild/prebuild-install
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/prebuild/prebuild-install.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/protocolbuffers/protobuf-javascript
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/protocolbuffers/protobuf/blob/master/java/lite.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/puppeteer/puppeteer/tree/main/packages/puppeteer-core
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sass/node-sass/issues/1589#issuecomment-265292579
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/simplejson/simplejson
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sindresorhus/make-dir
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sindresorhus/os-homedir/blob/11e089f4754db38bb535e5a8416320c4446e8cfd/index.js
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sinonjs/fake-timers/blob/a4c757f80840829e45e0852ea1b17d87a998388e/src/fake-timers
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/broofa
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/ctavan
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/feross
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/ljharb
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/troygoode/node-require-directory/
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/uuidjs/uuid#getrandomvalues-not-supported
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/uuidjs/uuid.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/v8/v8/blob/6.0.122/test/mjsunit/fast-prototype.js#L48-L63
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068735040
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068735307
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068735697
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068736093
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2068736404
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638965835
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638965968
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638966056
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638966247
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/2638966552
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615021
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615173
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615423
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615557
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/752615807
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/888438143
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/888438190
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/888438236
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/actions/runs/918633749
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vercel/pkg-fetch/releases/download/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4805
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4805Custom
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/gamepad/pull/120
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/gamepad/pull/120Access
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-features
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-featuresDeviceOri
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws/issues/1202
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws/issues/1869.
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/websockets/ws/issues/1940.
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/xiph/rnnoise
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/y18n
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/yargs#supported-nodejs-versions
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/yargs-parser#supported-nodejs-versions
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/yargs-parser.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yargs/yargs.git
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zorkow/speech-rule-user
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/4NeimX
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/4NeimXAccess
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/4NeimXOrigin
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/4NeimXgetDescriptor(s)
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/4NeimXreadValue()
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/4NeimXwriteValue()
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/EuHzyv
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/HxfxSQ
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/HxfxSQOrigin
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/HxfxSQrequestDevice()
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/J6ASzs
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/J6ASzsBluetooth
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22Media
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22RemoveElementFromDocumentMapit
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gle/chrome-insecure-origins
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google.com/pay
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hackerone.com/reports/541502
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/comms.html#the-websocket-interface
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html#server-sent-events.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/web-messaging.html#broadcasting-to-other-browsing-contexts
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ltp.sourceforge.net/coverage/lcov/geninfo.1.php
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://medium.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://no-color.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodei.co/npm/require-directory.png?downloads=true&stars=true)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodei.co/npm/require-directory/)
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/permissions.html#file-system-permissions
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://npmjs.org/package/require-directory))
Source: cMqyGFCQHk.exe, 00000000.00000003.2479386329.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle
Source: cMqyGFCQHk.exe, 00000000.00000003.2480625633.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comKonta
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pay.google.com/authentication
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/billing
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/billinghttps://google.com/payhttps://android.com/payhttps://pay.google.com/a
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://polymer-library.polymer-project.org
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/pyparsing
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/six/
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.python.org/pypi/pyfakefs
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://quiche.googlesource.com/quiche
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://redux.js.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://secure.travis-ci.org/troygoode/node-require-directory.png)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://semver.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sindresorhus.com
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sindresorhus.com)
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/site/gaviotachessuser/Home/endgame-tablebases-1
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sizzlejs.com/
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skia.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sourcemaps.info/spec.html
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/#example-manual-write-with-backpressure
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/#example-rbs-pull
Source: cMqyGFCQHk.exe, 00000000.00000003.2479386329.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2479792300.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2481225639.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478185118.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2480146293.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2481468216.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2477975318.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478464913.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: cMqyGFCQHk.exe, 00000000.00000003.2479386329.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2479792300.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2480625633.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2481225639.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478185118.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2480146293.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2481468216.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2477975318.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478464913.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#eqn-modulo
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-HostLoadImportedModule.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-timeclip
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-tonumber
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#table-typeof-operator-results
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/security
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/security).
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-9.1
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/intent/user?screen_name=troygoode)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://unpkg.com/cliui
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://unpkg.com/yargs-parser
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://v8.dev/docs/stack-trace-api#customizing-stack-traces.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://v8.dev/docs/stack-trace-api.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/FileAPI/#creating-revoking
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/aria/#aria-hidden.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/aria/#aria-hidden.Blocked
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/manifest/#installability-signals
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/manifest/#installability-signals0
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dom-performance-setresourcetimingbuffersize
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/uievents/#legacy-event-types)
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webcrypto/#SubtleCrypto-method-wrapKey
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed.
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-converttoint
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-integerpart
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-DOMString
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-dictionary
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-invoking-callback-functions
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bluetooth.com/specifications/gatt/characteristics
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bluetooth.com/specifications/gatt/descriptors
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bluetooth.com/specifications/gatt/services
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5093566007214080
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5093566007214080ErrorEventInit
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5636954674692096
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5644273861001216.
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5682658461876224.
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5718547946799104
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5738264052891648
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5738264052891648Renderer.Font.PrimaryFont.FCPRenderer.Font.Prim
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/6662647093133312
Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/6662647093133312InputDeviceCapabilities
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cl.cam.ac.uk/%7Emgk25/ucs/utf8_check.c
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.khronos.org/registry/
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.npmjs.com/package/wrap-ansi
Source: cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opensource.org/licenses/bsd-license.php)
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.patreon.com/feross
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#interface-formdata
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/.
Source: cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yargs.js.org/

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Code function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405461

Source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_36524828-3

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File dump: Teams.exe.0.dr 188819968			Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File dump: Teams.exe0.0.dr 188819968			Jump to dropped file

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040338F

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Code function: 0_2_00406B15	0_2_00406B15
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Code function: 0_2_004072EC	0_2_004072EC
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Code function: 0_2_00404C9E	0_2_00404C9E

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Process token adjusted: Security

Jump to behavior

Source: cMqyGFCQHk.exe

Static PE information: invalid certificate

Source: Teams.exe0.0.dr	Static PE information: Number of sections : 15 > 10
Source: Teams.exe.0.dr	Static PE information: Number of sections : 15 > 10

Source: cMqyGFCQHk.exe, 00000000.00000003.2477515999.000000000519A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevk_swiftshader.dll, vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevk_swiftshader.dll, vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2423239558.0000000005192000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename, vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2415397263.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibEGL.dllb! vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2309788789.0000000005D56000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2416602923.0000000005190000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dllb! vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2317642252.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dllb! vs cMqyGFCQHk.exe
Source: cMqyGFCQHk.exe, 00000000.00000003.2409838844.000000000519E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs cMqyGFCQHk.exe

Source: cMqyGFCQHk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.spre.winEXE@32/110@0/0

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

0_2_0040338F

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Code function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404722

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Mutant created: \Sessions\1\BaseNamedObjects\mfx_d3d_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Mutant created: \Sessions\1\BaseNamedObjects\8013f783-e1a2-5f53-80da-b1ad483bd59f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

File created: C:\Users\user\AppData\Local\Temp\nswF9C0.tmp

Jump to behavior

Source: cMqyGFCQHk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TEAMS.EXE'

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SELECT name FROM sqlite_master WHERE type='table';

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

File read: C:\Users\user\Desktop\cMqyGFCQHk.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cMqyGFCQHk.exe "C:\Users\user\Desktop\cMqyGFCQHk.exe"
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Teams.exe" /FO csv \| "C:\Windows\system32\find.exe" "Teams.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "Teams.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe"
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1804,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1796 /prefetch:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2464,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe"
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1704,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1696 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2428,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2548,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1200,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2484 /prefetch:8
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Teams.exe" /FO csv \| "C:\Windows\system32\find.exe" "Teams.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "Teams.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1804,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1796 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2464,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:3	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2548,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:8	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1704,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1696 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2428,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1200,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2484 /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: netprofm.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: npmproxy.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: netprofm.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: npmproxy.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: netprofm.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: npmproxy.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d12.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d12.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d12core.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxilconv.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3dscache.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: directml.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d12.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d12.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d12core.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: dxilconv.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: d3dscache.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: directml.dll
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Section loaded: cabinet.dll

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv

Source: MyElectronApp.lnk.14.dr

LNK file: ..\..\..\..\..\..\Local\Programs\Teams\Teams.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8013f783-e1a2-5f53-80da-b1ad483bd59f

Jump to behavior

Source: cMqyGFCQHk.exe

Static file information: File size 86797392 > 1048576

Source: cMqyGFCQHk.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ffmpeg.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2411113268.000000000519B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2409838844.000000000519E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2415397263.0000000004C34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\test\x64\Release\test.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2483412748.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vulkan-1.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2406041139.00000000066F0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2402713940.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2402317830.0000000005330000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\dev\test\Release\test.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2483647992.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdbGCTL source: cMqyGFCQHk.exe, 00000000.00000003.2409838844.000000000519E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: electron.exe.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: <C:\dev\test\x64\Release\test.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2483412748.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2416602923.0000000005190000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2317642252.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vk_swiftshader.dll.pdb source: cMqyGFCQHk.exe, 00000000.00000003.2477515999.000000000519A000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp

Source: ffmpeg.dll.0.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll.0.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll.0.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.0.dr	Static PE information: section name: .gxfg
Source: libEGL.dll.0.dr	Static PE information: section name: .retplne
Source: libEGL.dll.0.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll.0.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll.0.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll.0.dr	Static PE information: section name: _RDATA
Source: Teams.exe.0.dr	Static PE information: section name: .gxfg
Source: Teams.exe.0.dr	Static PE information: section name: .retplne
Source: Teams.exe.0.dr	Static PE information: section name: .rodata
Source: Teams.exe.0.dr	Static PE information: section name: CPADinfo
Source: Teams.exe.0.dr	Static PE information: section name: LZMADEC
Source: Teams.exe.0.dr	Static PE information: section name: _RDATA
Source: Teams.exe.0.dr	Static PE information: section name: malloc_h
Source: Teams.exe.0.dr	Static PE information: section name: prot
Source: ffmpeg.dll0.0.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll0.0.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll0.0.dr	Static PE information: section name: _RDATA
Source: libEGL.dll0.0.dr	Static PE information: section name: .gxfg
Source: libEGL.dll0.0.dr	Static PE information: section name: .retplne
Source: libEGL.dll0.0.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll0.0.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll0.0.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll0.0.dr	Static PE information: section name: _RDATA
Source: fastlist-0.3.0-x64.exe.0.dr	Static PE information: section name: _RDATA
Source: Teams.exe0.0.dr	Static PE information: section name: .gxfg
Source: Teams.exe0.0.dr	Static PE information: section name: .retplne
Source: Teams.exe0.0.dr	Static PE information: section name: .rodata
Source: Teams.exe0.0.dr	Static PE information: section name: CPADinfo
Source: Teams.exe0.0.dr	Static PE information: section name: LZMADEC
Source: Teams.exe0.0.dr	Static PE information: section name: _RDATA
Source: Teams.exe0.0.dr	Static PE information: section name: malloc_h
Source: Teams.exe0.0.dr	Static PE information: section name: prot
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll.0.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.0.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\StdUtils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\Teams.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\SpiderBanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\ffmpeg.dll	Jump to dropped file

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File created: C:\Users\user\AppData\Local\Programs\Teams\LICENSE.electron.txt			Jump to behavior

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = ''# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = ''# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = ''# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = ''# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3482	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2537	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3173

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\StdUtils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Teams\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\SpiderBanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Teams\libEGL.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6880	Thread sleep count: 3482 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4364	Thread sleep count: 2537 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452	Thread sleep count: 3173 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068	Thread sleep count: 333 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6188	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\Teams FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\Teams FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\Teams FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\Teams FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File Volume queried: C:\Users\user FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	File Volume queried: C:\Users\user FullSizeInformation

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\locales	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources	Jump to behavior
Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	File opened: C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked	Jump to behavior

Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: bCK1sK9IRQq9qEmUv4RDsNuESgMjGWdqb8FuvAY5N9GIIvejQjBAMA8GA1UdEwEB/wQFMAMB
Source: cMqyGFCQHk.exe, 00000000.00000003.2317642252.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: cMqyGFCQHk.exe, 00000000.00000003.2317642252.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (IsLinux() && isVMWare) \|\| (IsAndroid() && isNvidia) \|\| (IsAndroid() && GetAndroidSDKVersion() < 27 && IsAdreno5xxOrOlder(functions)) \|\| (!isMesa && IsMaliT8xxOrOlder(functions)) \|\| (!isMesa && IsMaliG31OrOlder(functions))
Source: cMqyGFCQHk.exe, 00000000.00000003.2487835744.0000000004E9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&
Source: cMqyGFCQHk.exe, 00000000.00000003.2411113268.000000000519B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tgaR
Source: cMqyGFCQHk.exe, 00000000.00000003.2525644791.0000000000728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a
Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: cMqyGFCQHk.exe, 00000000.00000003.2411113268.000000000519B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Screen Codec / VMware Video
Source: cMqyGFCQHk.exe, 00000000.00000003.2317642252.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ZAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTestp

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

API call chain: ExitProcess graph end node

graph_0-3391

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Teams.exe" /FO csv \| "C:\Windows\system32\find.exe" "Teams.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq Teams.exe" /FO csv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "Teams.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1804,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1796 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2464,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:3	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2548,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:8	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1704,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1696 /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2428,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Process created: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe "C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1200,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2484 /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()"

Source: cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: ..\..\third_party\webrtc\modules\desktop_capture\win\window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_Progman..\..\third_party\webrtc\modules\desktop_capture\cropping_window_capturer.ccWindow no longer on top when ScreenCapturer finishesScreenCapturer failed to capture a frameWindow rect is emptyWindow is outside of the captured displaySysShadowWebRTC.DesktopCapture.Win.WindowGdiCapturerFrameTime..\..\third_party\webrtc\modules\desktop_capture\win\window_capturer_win_gdi.ccWindow hasn't been selected: Target window has been closed.Failed to get drawable window area: Failed to get window DC: Failed to create frame.Both PrintWindow() and BitBlt() failed.Capturing owned window failed (previous error/warning pertained to that)WindowCapturerWinGdi::CaptureFrameWebRTC.DesktopCapture.BlankFrameDetectedWebRTC.DesktopCapture.PrimaryCapturerSelectSourceErrorWebRTC.DesktopCapture.PrimaryCapturerErrorWebRTC.DesktopCapture.PrimaryCapturerPermanentErrordwmapi.dllDwmEnableComposition..\..\third_party\webrtc\modules\desktop_capture\win\screen_capturer_win_gdi.ccFailed to capture screen by GDI.WebRTC.DesktopCapture.Win.ScreenGdiCapturerFrameTimedesktop_dc_memory_dc_Failed to get screen rect.Failed to create frame buffer.Failed to select current bitmap into memery dc.BitBlt failedScreenCapturerWinGdi::CaptureFrame..\..\third_party\webrtc\modules\desktop_capture\win\cursor.ccwebrtc::CreateMouseCursorFromHCursorUnable to get cursor icon info. Error = Unable to get bitmap info. Error = Unable to get bitmap bits. Error = `

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams\config.json VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams\config.json VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation

Source: C:\Users\user\Desktop\cMqyGFCQHk.exe

0_2_0040338F

Source: C:\Users\user\AppData\Local\Programs\Teams\Teams.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Access Token Manipulation	1 Masquerading	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	12 Registry Run Keys / Startup Folder	1 Windows Service	21 Virtualization/Sandbox Evasion	LSASS Memory	3 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 DLL Side-Loading	12 Process Injection	1 Access Token Manipulation	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Registry Run Keys / Startup Folder	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	36 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cMqyGFCQHk.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Programs\Teams\Teams.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Teams\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Teams\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Teams\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\Teams.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x86.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\resources\elevate.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\SpiderBanner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\StdUtils.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\nsis7z.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://secure.travis-ci.org/troygoode/node-require-directory.png)	0%	Avira URL Cloud	safe
https://html.spec.whatwg.org/multipage/server-sent-events.html#server-sent-events.org/	0%	Avira URL Cloud	safe
http://fresc81.github.io/node-winreg	0%	Avira URL Cloud	safe
https://w3c.github.io/aria/#aria-hidden.	0%	Avira URL Cloud	safe
https://yargs.js.org/	0%	Avira URL Cloud	safe
https://nodei.co/npm/require-directory/)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/lgeiger/node-abi/issues/54	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/mcollina/reusify#readme	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://url.spec.whatwg.org/#concept-url-origin	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/simplejson/simplejson	cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc6455#section-1.3	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6098869	cMqyGFCQHk.exe, 00000000.00000003.2479386329.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2479792300.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2480625633.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2481225639.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478185118.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2480146293.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2481468216.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2477975318.0000000004C34000.00000004.00000020.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2478464913.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bluetooth.com/specifications/gatt/services	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/prebuild/prebuild-install	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/vercel/pkg-fetch/actions/runs/2638965835	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/WebBluetoothCG/web-bluetooth/blob/main/implementation-status.md	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/jesec/pkg-fetch/actions/runs/2639072106	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/feross/queue-microtask	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.chromestatus.com/feature/5093566007214080	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	false		high
https://console.spec.whatwg.org/#table	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/string_decoder	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://secure.travis-ci.org/troygoode/node-require-directory.png)	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://encoding.spec.whatwg.org/#textencoder	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u	cMqyGFCQHk.exe, 00000000.00000003.2480625633.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.patreon.com/feross	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tc39/proposal-weakrefs	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://goo.gl/t5IS6M).	cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/vercel/pkg-fetch/actions/runs/2638965968	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/issues/44985	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://url.spec.whatwg.org/#concept-urlencoded-serializer	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://yargs.js.org/	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://semver.org/	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/google/pprof/tree/master/proto	cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jrmuizel/qcms/tree/v4	cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nodejs.org/api/fs.html	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://npmjs.org/package/require-directory))	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromium.googlesource.com/chromium/src/	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://w3c.github.io/manifest/#installability-signals	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.midnight-commander.org/browser/lib/tty/key.c	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nodejs.org/	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7540#section-8.1.2.5	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://exslt.org/common	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/KhronosGroup/SPIRV-Headers.git	cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tc39.es/ecma262/#sec-timeclip	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nodei.co/npm/require-directory/)	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/nodejs/node/pull/33661	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/WICG/scheduling-apis	cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/48477#issuecomment-1604586650	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pypi.org/project/pyparsing	cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://code.google.com/p/v8/wiki/JavaScriptStackTraceApi	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://code.google.com/p/chromium/issues/detail?id=25916	cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://webidl.spec.whatwg.org/#abstract-opdef-converttoint	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.opensource.org/licenses/mit-license.php)	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://stackoverflow.com/a/1068308/13216	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/jesec/pkg-fetch/actions/runs/2639072371	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://twitter.com/intent/user?screen_name=troygoode)	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://fetch.spec.whatwg.org/#fetch-timing-info	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/server-sent-events.html#server-sent-events.org/	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/libuv/libuv/pull/1088	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/12607	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ecma-international.org/ecma-262/#sec-line-terminators	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://fresc81.github.io/node-winreg	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://developer.chrome.com/docs/extensions/mv3/service_workers/events/Script	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sizzlejs.com/	cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medium.com/	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.portaudio.com	cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/ChromeDevTools/devtools-frontend/blob/4275917f84266ef40613db3c1784a25f902ea74e/fr	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://beacons.gcp.gvt2.com/domainreliability/upload	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000007248000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/inspect-js/node-supports-preserve-symlinks-flag.git	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/vercel/pkg-fetch/actions/runs/2068735040	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/vercel/pkg-fetch/actions/runs/752615557	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/RyanZim/universalify.git	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://w3c.github.io/aria/#aria-hidden.	cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://developer.chrome.com/docs/extensions/mv3/cross-origin-isolation/.	cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.	cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/google/shell-encryption	cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://heycam.github.io/webidl/#es-iterable-entries	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://heycam.github.io/webidl/#es-interfaces	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://unpkg.com/cliui	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/issues	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/denoland/deno/blob/main/LICENSE.md.	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://goo.gl/4NeimXOrigin	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	false		high
https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tc39.github.io/ecma262/#sec-object.prototype.tostring	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://url.spec.whatwg.org/#urlsearchparams	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/issues/8987	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/vercel/pkg-fetch/actions/runs/752615423	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	cMqyGFCQHk.exe, 00000000.00000003.2478846758.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://streams.spec.whatwg.org/#example-manual-write-with-backpressure	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/30380#issuecomment-552948364	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval	cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.khronos.org/registry/	cMqyGFCQHk.exe, 00000000.00000003.2293258093.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, cMqyGFCQHk.exe, 00000000.00000003.2418539279.0000000005197000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/sponsors/feross	cMqyGFCQHk.exe, 00000000.00000003.2304404903.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://heycam.github.io/webidl/#dfn-iterator-prototype-object	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/doc/html/rfc7238	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://android.com/pay	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/38614)	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=hu&category=theme81https://myactivity.google.com/myactivity/?u	cMqyGFCQHk.exe, 00000000.00000003.2479386329.0000000004C34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/issues/10673	cMqyGFCQHk.exe, 00000000.00000003.2406552229.0000000006AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://xhr.spec.whatwg.org/.	cMqyGFCQHk.exe, 00000000.00000003.2406907152.0000000006EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.chromestatus.com/feature/6662647093133312	cMqyGFCQHk.exe, 00000000.00000003.2407447233.00000000073F3000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556006
Start date and time:	2024-11-14 19:54:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cMqyGFCQHk.exe renamed because original name is a hash value
Original Sample Name:	3c3f458400c557d279c4d4993f67adc8ba3da4bad8fc844adfef8c7de475a1f7.exe
Detection:	MAL
Classification:	mal60.spre.winEXE@32/110@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 40 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: cMqyGFCQHk.exe

Simulations

Behavior and APIs

Time	Type	Description
19:55:51	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
	http://loop.net.pk/cos.html	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.45
	https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/graylinelaketahoe.com&c=E,1,BWhR2At2OZAdw2Kzdn7d-U-fLZRdgzpdTFbcA87JOQxek-SzsLBqKBG-KMVpA5JovWFRbO4mN3q2zPe1YDaTOG57b4G9v05-IgsJXqrG4om_58_65Os9ldlZ&typo=1	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://samobile.net/content/offsite_article.html?url=https%3A%2F%2Fsepedatua.com%2F158983%2Fsecure-redirect%23cnichols%2Bderickdermatology.com&headline=New+Jerusalem%2C+The+by+Chesterton%2C+G.+K	Get hash	malicious	Captcha Phish	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.45
	https://forms.office.com/Pages/ShareFormPage.aspx?id=xW69F1aTs06UvACEsnZeONWs3ov4-fZJk9ZDjpIIN5tUMUFMSUpJVVFUWEtHTFlURVNUWE1QV1hXQi4u&sharetoken=2Z2A4vYPJAA4bBGx5zDg	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Voice Msg Gail.gorman.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	https://ctrk.klclick.com/l/01JCNJ0H48YX46QX141C2JGKTY_0	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll	Soltix.exe	Get hash	malicious	Unknown	Browse
	Soltix.exe	Get hash	malicious	Unknown	Browse
	Prismifyr_Installer_v2.1 Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Prismifyr_Installer_v2.1 Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Prismifyr_Installer_v2.1 Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Prismifyr_Installer_v2.1 Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	svchost.exe	Get hash	malicious	Unknown	Browse
	JaborSetup.exe	Get hash	malicious	Unknown	Browse
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
File Type:	data
Category:	dropped
Size (bytes):	65552
Entropy (8bit):	0.012618579311362982
Encrypted:	false
SSDEEP:	3:BlllGlll/l/lXp9ZjrPBY0HlGltPoRP:Dl0dPBY0ogJ
MD5:	473BCCBF062D91F7176E32EB7C029304
SHA1:	9CDD8F7BD57A97DBB840EEC76A40304847399A9C
SHA-256:	FB981B16172DB8F963D3B0370809DDD2C7455A18B264E45EA971FEFDAA3B05D9
SHA-512:	FA502C363170AC68853A3F1BB4F1BDF892416523EFF765F0036F29FD120641909E3E53A0972C7F0B2EA70E1CCCCB5B62F45E94E446D2CB48BBBE5898EF4B7B4C
Malicious:	false
Preview:	./.F........................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

Process:	C:\Users\user\Desktop\cMqyGFCQHk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	5.13006727705212
Encrypted:	false
SSDEEP:	24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
MD5:	4D42118D35941E0F664DDDBD83F633C5
SHA1:	2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
SHA-256:	5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
SHA-512:	3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
Malicious:	false
Preview:	Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999770167797606
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cMqyGFCQHk.exe
File size:	86'797'392 bytes
MD5:	b408e3da98f0e457d627510165374ddd
SHA1:	49de055d881896670ce8b1ba1633d5f8b4f8e193
SHA256:	3c3f458400c557d279c4d4993f67adc8ba3da4bad8fc844adfef8c7de475a1f7
SHA512:	3a092bd3ec86a4793a94b0e7b0dd50f50a1b9ea6c65b0628e912b7df967e267b236dbbee6b7d4fbc9deed6c5bc879ec5c2ee5f7bfe9460ec75121ebdfe7a4a73
SSDEEP:	1572864:4k2/ebAbWsL+/5FLl9Noabh+XJhXhQiB1dJdYVkq7U4hmfiGWk:4G0bu5hl9OOh01VJY+qw0uiTk
TLSH:	5E1833980792C262D3E414B8E5F363FB31027E1A8B351A993124B6DCF6271DA15B58FF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@.

Entrypoint:	0x40338f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F86 [Sat Dec 15 22:26:14 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	15/10/2024 20:29:09 16/10/2025 20:29:09
Subject Chain	CN="Lion Software, LLC", O="Lion Software, LLC", STREET=60 County Road 537, L=Centre, S=Alabama, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=Alabama, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=000-541-240, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	AC575FB5F87D72747656ED9FFBAEB0DA
Thumbprint SHA-1:	A243692CD9205CFE32BEEF144B7D84350F3AA0E6
Thumbprint SHA-256:	482DFF658DB3FF3B08ED60A99B5434DE6E8CF3F1DCB782831AA0B22978F7C49D
Serial:	1AF0A44396DD57AC87ECB79D

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19f000	0x2c4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x52c5a28	0x1228
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6627	0x6800	7618d4c0cd8bb67ea9595b4266b3a91f	False	0.6646259014423077	data	6.450282348506287	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a2	0x1600	eecac1fed9cc6b447d50940d178404d8	False	0.4405184659090909	data	5.025178929113415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x70ff8	0x600	db8f31a08a2242d80c29e1f9500c6527	False	0.5182291666666666	data	4.037117731448378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7b000	0x124000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x19f000	0x2c4d8	0x2c600	17ecf0cb331acf3e0aa34f7130f91d58	False	0.20090779049295773	data	4.330797014530664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19f7d8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.10857683413916334
RT_ICON	0x1a8c80	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	United States	0.11736842105263158
RT_ICON	0x1af468	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.1307301293900185
RT_ICON	0x1b48f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.1379900803023146
RT_ICON	0x1b8b18	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14880	English	United States	0.14711796246648792
RT_ICON	0x1bc560	0x3524	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9886062922669803
RT_ICON	0x1bfa88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.18443983402489628
RT_ICON	0x1c2030	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	United States	0.20310650887573964
RT_ICON	0x1c3a98	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.24876586741889986
RT_ICON	0x1c50c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.08864915572232646
RT_ICON	0x1c6168	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.298773987206823
RT_ICON	0x1c7010	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.125
RT_ICON	0x1c7998	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.1565884476534296
RT_ICON	0x1c8240	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	United States	0.13895348837209304
RT_ICON	0x1c88f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.16329479768786126
RT_ICON	0x1c8e60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.17819148936170212
RT_ICON	0x1c92c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.3064516129032258
RT_ICON	0x1c95b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.48986486486486486
RT_DIALOG	0x1c96d8	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x1c98e0	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x1c99d8	0xee	data	English	United States	0.6260504201680672
RT_DIALOG	0x1c9ac8	0x1fa	data	English	United States	0.40118577075098816
RT_DIALOG	0x1c9cc8	0xf0	data	English	United States	0.6666666666666666
RT_DIALOG	0x1c9db8	0xe6	data	English	United States	0.6565217391304348
RT_DIALOG	0x1c9ea0	0x1ee	data	English	United States	0.38866396761133604
RT_DIALOG	0x1ca090	0xe4	data	English	United States	0.6447368421052632
RT_DIALOG	0x1ca178	0xda	data	English	United States	0.6422018348623854
RT_DIALOG	0x1ca258	0x1ee	data	English	United States	0.3866396761133603
RT_DIALOG	0x1ca448	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0x1ca530	0xda	data	English	United States	0.6376146788990825
RT_DIALOG	0x1ca610	0x1f2	data	English	United States	0.39759036144578314
RT_DIALOG	0x1ca808	0xe8	data	English	United States	0.6508620689655172
RT_DIALOG	0x1ca8f0	0xde	data	English	United States	0.6486486486486487
RT_DIALOG	0x1ca9d0	0x202	data	English	United States	0.42217898832684825
RT_DIALOG	0x1cabd8	0xf8	data	English	United States	0.6653225806451613
RT_DIALOG	0x1cacd0	0xee	data	English	United States	0.6512605042016807
RT_GROUP_ICON	0x1cadc0	0x102	data	English	United States	0.627906976744186
RT_VERSION	0x1caec8	0x1e4	data	English	United States	0.49793388429752067
RT_MANIFEST	0x1cb0b0	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 14, 2024 19:55:15.538739920 CET	1.1.1.1	192.168.2.6	0x29e3	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 14, 2024 19:55:15.538739920 CET	1.1.1.1	192.168.2.6	0x29e3	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:55:18
Start date:	14/11/2024
Path:	C:\Users\user\Desktop\cMqyGFCQHk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cMqyGFCQHk.exe"
Imagebase:	0x400000
File size:	86'797'392 bytes
MD5 hash:	B408E3DA98F0E457D627510165374DDD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	13:55:19
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\find.exe" "Teams.exe"
Imagebase:	0xf90000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	9
Start time:	13:55:46
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe"
Imagebase:	0x7ff746f70000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	11
Start time:	13:55:48
Start date:	14/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""
Imagebase:	0x7ff6d6740000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	13:55:49
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1804,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1796 /prefetch:2
Imagebase:	0x7ff746f70000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	15
Start time:	13:55:52
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2464,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:3
Imagebase:	0x7ff746f70000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	16
Start time:	13:56:00
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe"
Imagebase:	0x7ff746f70000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	17
Start time:	13:56:02
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1704,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1696 /prefetch:2
Imagebase:	0x7ff746f70000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	18
Start time:	13:56:01
Start date:	14/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\user\AppData\Local\Programs\Teams\Teams.exe';$s.Save()""
Imagebase:	0x7ff6d6740000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cMqyGFCQHk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\D3DSCache\a3119b5958838383\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

C:\Users\user\AppData\Local\D3DSCache\a3119b5958838383\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

C:\Users\user\AppData\Local\D3DSCache\a3119b5958838383\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Programs\Teams\LICENSE.electron.txt

C:\Users\user\AppData\Local\Programs\Teams\LICENSES.chromium.html

C:\Users\user\AppData\Local\Programs\Teams\Teams.exe

C:\Users\user\AppData\Local\Programs\Teams\chrome_100_percent.pak

C:\Users\user\AppData\Local\Programs\Teams\chrome_200_percent.pak

C:\Users\user\AppData\Local\Programs\Teams\d3dcompiler_47.dll

C:\Users\user\AppData\Local\Programs\Teams\ffmpeg.dll

C:\Users\user\AppData\Local\Programs\Teams\icudtl.dat

C:\Users\user\AppData\Local\Programs\Teams\libEGL.dll

C:\Users\user\AppData\Local\Programs\Teams\libGLESv2.dll

C:\Users\user\AppData\Local\Programs\Teams\resources.pak

C:\Users\user\AppData\Local\Programs\Teams\snapshot_blob.bin

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cvl0arq.dgy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ldohxpv.swz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqou54v3.qms.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppv1qouh.wuv.ps1

C:\Users\user\AppData\Local\Temp\nshFAEA.tmp\7z-out\LICENSE.electron.txt

Windows Analysis Report
cMqyGFCQHk.exe

Target ID:	21
Start time:	13:56:03
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --field-trial-handle=2428,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3
Imagebase:	0x7ff746f70000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	24
Start time:	13:57:48
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2548,i,4916229494749615140,4144486409714305981,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:8
Imagebase:	0x7ff746f70000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	13:58:02
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Teams\Teams.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Teams\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1200,i,126123718397027599,14626746628952611418,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2484 /prefetch:8
Imagebase:	0x7ff746f70000
File size:	188'819'968 bytes
MD5 hash:	102326801694C938E466C8D96E4200BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	25.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	1333
Total number of Limit Nodes:	33

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre