Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KMSpico.exe

Overview

General Information

Sample name:KMSpico.exe
Analysis ID:1632207
MD5:d70ab01c774cb1b93c518ce62bec27cf
SHA1:23e3e816d95ca8527f3ab26a4ce7bd42e4fa5b3a
SHA256:81e4808bcd2b11a4fd3b23668882628bcbdce55c62009daa4b97b15e421e6d13
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:82
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Disables the Smart Screen filter
Found many strings related to Crypto-Wallets (likely being stolen)
Sample uses string decryption to hide its real strings
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • KMSpico.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\KMSpico.exe" MD5: D70AB01C774CB1B93C518CE62BEC27CF)
    • KMSpico.tmp (PID: 7032 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp" /SL5="$103B4,33390065,844800,C:\Users\user\Desktop\KMSpico.exe" MD5: E4C43138CCB8240276872FD1AEC369BE)
      • KMSpico.exe (PID: 3556 cmdline: "C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe" MD5: A02164371A50C5FF9FA2870EF6E8CFA3)
        • KMSpico.tmp (PID: 5136 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmp" /SL5="$2044E,2952592,69120,C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe" MD5: 1778C1F66FF205875A6435A33229AB3C)
          • cmd.exe (PID: 7056 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 776 cmdline: sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • cmd.exe (PID: 7076 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 3244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 6856 cmdline: SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • UninsHs.exe (PID: 6096 cmdline: "C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe MD5: 245824502AEFE21B01E42F61955AA7F4)
          • KMSELDI.exe (PID: 6184 cmdline: "C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup MD5: F0280DE3880EF581BF14F9CC72EC1C16)
      • core.exe (PID: 2368 cmdline: "C:\Users\user\AppData\Roaming\MyApp\core.exe" MD5: 439A40D01995AB73701DDF4BA440BE40)
        • MSBuild.exe (PID: 6652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
          • chrome.exe (PID: 3372 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223 MD5: E81F54E6C1129887AEA47E7D092680BF)
            • chrome.exe (PID: 4492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2356,i,6215369390879059982,17652730807270396997,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2424 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • svchost.exe (PID: 6260 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6632 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6724 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 6752 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • sppsvc.exe (PID: 6796 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 5648 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5460 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 1472 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AutoPico.exe (PID: 7044 cmdline: "C:\Program Files\KMSpico\AutoPico.exe" /silent MD5: CFE1C391464C446099A5EB33276F6D57)
    • WerFault.exe (PID: 5572 cmdline: C:\Windows\system32\WerFault.exe -u -p 7044 -s 1624 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 1396 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 968 cmdline: C:\Windows\system32\WerFault.exe -pss -s 432 -p 7044 -ip 7044 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 1808 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 4604 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1508 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["agriework.life", "explorebieology.run", "moderzysics.top", "seedsxouts.shop", "codxefusion.top", "farfinable.top", "techspherxe.top"], "Build id": "AEeq9Q--for"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      0000000A.00000002.1604119169.0000000006FD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000016.00000002.2863240024.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          0000000A.00000002.1573432475.00000000042DE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            00000016.00000002.2868508738.00000000015D3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.core.exe.6fd0000.11.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                22.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  10.2.core.exe.6fd0000.11.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    10.2.core.exe.562bf64.7.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      10.2.core.exe.562bf64.7.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                        Click to see the 1 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
                        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F, CommandLine: SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F, CommandLine|base64offset|contains: H!", Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7076, ParentProcessName: cmd.exe, ProcessCommandLine: SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F, ProcessId: 6856, ProcessName: schtasks.exe
                        Sigma detected: Silenttrinity Stager Msbuild Activity
                        Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 149.154.167.99, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6652, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49689
                        Sigma detected: Browser Started with Remote Debugging
                        Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223, CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 6652, ParentProcessName: MSBuild.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223, ProcessId: 3372, ProcessName: chrome.exe
                        Sigma detected: Use Short Name Path in Command Line
                        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp" /SL5="$103B4,33390065,844800,C:\Users\user\Desktop\KMSpico.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp" /SL5="$103B4,33390065,844800,C:\Users\user\Desktop\KMSpico.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp, ParentCommandLine: "C:\Users\user\Desktop\KMSpico.exe", ParentImage: C:\Users\user\Desktop\KMSpico.exe, ParentProcessId: 7008, ParentProcessName: KMSpico.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp" /SL5="$103B4,33390065,844800,C:\Users\user\Desktop\KMSpico.exe" , ProcessId: 7032, ProcessName: KMSpico.tmp
                        Sigma detected: New Service Creation Using Sc.EXE
                        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI", CommandLine: sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI", CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7056, ParentProcessName: cmd.exe, ProcessCommandLine: sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI", ProcessId: 776, ProcessName: sc.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6260, ProcessName: svchost.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-07T21:08:56.045257+010020283713Unknown Traffic192.168.2.749689149.154.167.99443TCP
                        2025-03-07T21:08:58.389091+010020283713Unknown Traffic192.168.2.749690104.21.32.1443TCP
                        2025-03-07T21:09:00.835047+010020283713Unknown Traffic192.168.2.749692104.21.32.1443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-07T21:08:58.847075+010020546531A Network Trojan was detected192.168.2.749690104.21.32.1443TCP
                        2025-03-07T21:09:01.680891+010020546531A Network Trojan was detected192.168.2.749692104.21.32.1443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-07T21:08:58.847075+010020498361A Network Trojan was detected192.168.2.749690104.21.32.1443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: farfinable.topAvira URL Cloud: Label: malware
                        Source: agriework.lifeAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["agriework.life", "explorebieology.run", "moderzysics.top", "seedsxouts.shop", "codxefusion.top", "farfinable.top", "techspherxe.top"], "Build id": "AEeq9Q--for"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Program Files\KMSpico\AutoPico.exe (copy)ReversingLabs: Detection: 75%
                        Source: C:\Program Files\KMSpico\KMSELDI.exe (copy)ReversingLabs: Detection: 71%
                        Source: C:\Program Files\KMSpico\Service_KMS.exe (copy)ReversingLabs: Detection: 76%
                        Source: C:\Program Files\KMSpico\is-6NLBA.tmpReversingLabs: Detection: 71%
                        Source: C:\Program Files\KMSpico\is-DAA62.tmpReversingLabs: Detection: 76%
                        Source: C:\Program Files\KMSpico\is-IIAU3.tmpReversingLabs: Detection: 75%
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe (copy)ReversingLabs: Detection: 73%
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\is-LB333.tmpReversingLabs: Detection: 73%
                        Multi AV Scanner detection for submitted file
                        Source: KMSpico.exeReversingLabs: Detection: 21%
                        Source: KMSpico.exeVirustotal: Detection: 30%Perma Link
                        Sample uses string decryption to hide its real strings
                        Source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmpString decryptor: agriework.life
                        Source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmpString decryptor: explorebieology.run
                        Source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmpString decryptor: moderzysics.top
                        Source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmpString decryptor: seedsxouts.shop
                        Source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmpString decryptor: codxefusion.top
                        Source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmpString decryptor: farfinable.top
                        Source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmpString decryptor: techspherxe.top
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041C281 CryptUnprotectData,22_2_0041C281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041C281 CryptUnprotectData,22_2_0041C281
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_87307bcc-a
                        Source: KMSpico.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpicoJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\certJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\AccessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ExcelJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\GrooveJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPathJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNoteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OutlookJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPointJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlusJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PublisherJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasicsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\StandardJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\VisioJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\WordJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\AccessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ExcelJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\InfoPathJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\LyncJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OneNoteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OutlookJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PowerPointJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlusJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PublisherJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\StandardJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\WordJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\AccessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ExcelJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\MondoJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OneNoteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OutlookJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PowerPointJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProPlusJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PublisherJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusinessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\StandardJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\WordJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\CoreJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EducationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseSJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\ProfessionalJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessNJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\EmbeddedJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\ProfessionalJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreNJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguageJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseNJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalNJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMCJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\CoreJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\CoreConnectedSingleLanguageJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustryJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMCJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerDatacenterJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerStandardJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driverJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\iconsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\logsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scriptsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\soundsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\unins000.datJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-L75HR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-IIAU3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-C96NM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-GQU4U.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-6NLBA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-DAA62.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-2L4A1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-7L8L1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-H7F0B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-SM9U4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-KH0DC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-IB7SS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-N18QG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-C5UVT.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-17DH9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-SUSN9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-DSH1H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-QE8I5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-JVVND.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-HG3D0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-OPD17.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-3JPFI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-J4D5I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-7D2QQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-SJN9A.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-69E6V.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-EPS5G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-RHIHF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-TUTDH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-MS2R2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-NRH4U.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-GB0LM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-7QU5K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-UR92J.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-I5SLL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-NHO08.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-2I7DC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-DEU8B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-U39DC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-F75TS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-AGK4H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-7A1B1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-S9A5S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-390FA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-U3AEQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-AA8TE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-NN7SS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-D9C9B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-2HPJV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-3KP69.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-95FK5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-JS2KN.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-6VNVP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-SVQ0B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-FM0HE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-J8NE5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-L8120.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-EPCQC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-1LPUG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-0HV6E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-80JEA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-CR2N2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-1V992.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-11L29.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-5NESI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-AQID8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-CDO2T.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-NA0QE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-7OI8E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-U7E7K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-LHQ1O.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-FBSRM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-TCPHM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-B5Q4U.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-0MQVC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-RHS6P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-21RS3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-HM1NV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-O9CPG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-RGGGE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-6B9FD.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-OPE7E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-RELHT.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-ERG1E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-JC9NB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-T3SE4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-SSTEA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-SVRMG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-NQP3L.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-GAIQO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-M4SOG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-3J50C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-MB784.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-UVNG3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-QS9U6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-57K3S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-KLKSG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-QB64T.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-VP7H5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-PLDPL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-J3HSG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-BG63S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-GEI74.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-98PEH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-RMR7S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-TG0BR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-NPEPS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-55738.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-0PP2D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-JPLFG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-6FO74.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-LDLCH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-A7SJR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-AMJLJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-AVDGL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-V1NJ5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-OVU7T.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-74COT.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-MEVS6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-AVRJR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-GEREB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-3BC85.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-IF0JF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-VSFVB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-T3KQU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-E2D64.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-ICF4A.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-7U9QE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-NSC5D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-PFG9H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-KK70C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-4FATS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-DS29H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-VLHT5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-ENDTG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-OJ7MC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-RPL72.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-9UVVN.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-811LB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-SID4N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-KNU1N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-GLG40.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-EC65O.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-JA6TK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Access\is-JMF18.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Access\is-GMLGO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Access\is-OBJGC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-3I59R.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-VBHHE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-SLN0L.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-GI3R1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-U6365.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-FN421.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-MQ52I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-DC1FF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-35C3A.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OneNote\is-CUO6O.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OneNote\is-9BFP5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OneNote\is-0PKRD.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-UN261.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-72GNB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-QPSR6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PowerPoint\is-JQIGK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PowerPoint\is-03473.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PowerPoint\is-DQVFJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-3JTJE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-8Q94R.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-JGJJ7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-OG3F8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-IP50K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-8DFHR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-GOQB5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-KP6Q1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-MPTLH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-4GILB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Publisher\is-NVH3M.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Publisher\is-SLSNM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Publisher\is-8JVOS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-4N3H4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-U055I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-QFVK0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-TS75E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-NS5AT.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-HVUDG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-AMEUN.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioStd\is-G599V.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioStd\is-E3RCF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioStd\is-DL5C9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Word\is-J1DBH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Word\is-EJB95.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Word\is-6TN3H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-9J96K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-EEUI9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-NCNPR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-6O61S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-NC5L9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-L95EL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-UNL6N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Access\is-FKVT7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Access\is-AM951.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Access\is-H520D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-GKREH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-0EKFB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-37QMK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Mondo\is-KAFBA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Mondo\is-37A42.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Mondo\is-5UPLV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-GMVUP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-JL1N4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-MOUE1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Outlook\is-HLPIS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Outlook\is-IF369.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Outlook\is-AU4FI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PowerPoint\is-9C977.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PowerPoint\is-HJ0BP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PowerPoint\is-SAP9R.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-QVO4C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-BB4UB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-CEAAF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectStd\is-I37Q7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectStd\is-P0G9B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectStd\is-A2BM6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\is-E2HSL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\is-J4AS7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\is-EOHM7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-EQD5G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-N8TK4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-NLR8G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-IVG6N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-MT4MV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-CLE6J.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-99KBS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-9JCQJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-IOF9E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-84CDR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-7UQ73.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-38JLK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-1E1FJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-O8N7J.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-L9VES.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Word\is-RIPVI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Word\is-5VTG6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Word\is-1BHLK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\is-7IBC0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Core\is-TMS44.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Core\is-SA960.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Education\is-RCGTL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Education\is-DJVR6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Enterprise\is-ULRJ2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Enterprise\is-QQ3VO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-GJA9E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-LMVD6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-50T05.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-MGT07.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Professional\is-8216P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Professional\is-GBJ6P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\is-T6634.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-758U4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-FOL7B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-GRH0N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-26RNO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-GGO48.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-1PG0V.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-L017N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-A5VTP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-UQCHA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-7UJDA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-5D4SI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-E0FOU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-BEFO3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-9G7A7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-81RJV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-BU1GV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-7J8VB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-MC7PB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-6D9MM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-CB2HL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-IAJ1O.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-BEJ0G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-GOU1G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-OBLAO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-7GIE5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-JAN9E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-G7O55.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-PNFFV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-T7B78.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-F611S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-0QE6C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-3ENP2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-CVN3P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-R38RJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-L8ITU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-AO41Q.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-EEREH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-9F1CA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-DUROI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-VNN9V.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-H0V67.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-OT5DQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-KI6N0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-TEVL8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-9P0TK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-G75TQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-LO0E1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-GLKBD.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-JDCRF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-JRNU3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-QJA6D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-SRJO7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\is-5HIQH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Core\is-GF2KC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Core\is-B6VSR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-F41BE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-GSS9I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguage\is-TSDAE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguage\is-BSU24.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Enterprise\is-M93OO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Enterprise\is-LU2B8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseN\is-68DE0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseN\is-EI7QV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-VP2O0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-JC3ME.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalN\is-4KKGR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalN\is-POD04.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-0S54S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-I3QLQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\is-MJU8M.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Core\is-ERFUC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Core\is-RJEV4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\CoreConnectedSingleLanguage\is-S2J84.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\CoreConnectedSingleLanguage\is-4FUFA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustry\is-0TBMF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustry\is-N0VAH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Enterprise\is-JE105.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Enterprise\is-BFF2E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Professional\is-LLPT4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Professional\is-A8EER.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMC\is-7OL4K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMC\is-TDU3R.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerDatacenter\is-I7OR4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerDatacenter\is-1PBNP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerStandard\is-EJKGA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerStandard\is-HJRP8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-SRHD6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-EHRL3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-CTDHU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-A08CE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-5DT42.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\icons\is-MALQI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\icons\is-6TEC9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\icons\is-OJ2B4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\icons\is-E4C4I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\logs\is-4S2VU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\logs\is-JSQM3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\logs\is-O8K73.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-LMB7B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-5BR0U.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-RC1Q2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-KM2M2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-CR9P7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-JK2TA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-95KN1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-4MQHQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-8DVQU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-SJAOR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-DTRVM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-2QUO2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-9KK17.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-DLBR9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-9FDQP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-N6MAJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-TU1KR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-Q56GB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-4L433.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-EIQF4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-03UIH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-6O07P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-80I7B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-1U4FD.tmpJump to behavior
                        Source: C:\Program Files\KMSpico\KMSELDI.exeDirectory created: C:\Program Files\KMSpico\logs\KMSELDI.log
                        Source: C:\Program Files\KMSpico\AutoPico.exeDirectory created: C:\Program Files\KMSpico\logs\AutoPico.log
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Users\user~1\AppData\Local\Temp\Setup Log 2025-03-07 #001.txtJump to behavior
                        Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49689 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49690 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49692 version: TLS 1.2
                        Source: KMSpico.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: System.Windows.Forms.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B343000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B343000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\System.pdb source: AutoPico.exe, 00000015.00000002.1654858797.0000000019E31000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Windows.Forms.pdbt source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B343000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dlls.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B3C2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: core.exe, 0000000A.00000002.1604419678.0000000007210000.00000004.08000000.00040000.00000000.sdmp, core.exe, 0000000A.00000002.1599992271.00000000057A3000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1599992271.000000000572B000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: lib.pdb source: KMSELDI.exe, 00000014.00000002.2888927032.000000001D271000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: c:\divert-master\install\WDDK\i386\WinDivert.pdb source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdlle source: AutoPico.exe, 00000015.00000002.1651589363.00000000006AE000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: core.exe, 0000000A.00000002.1604419678.0000000007210000.00000004.08000000.00040000.00000000.sdmp, core.exe, 0000000A.00000002.1599992271.00000000057A3000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1599992271.000000000572B000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: c:\divert-master\install\WDDK\amd64\WinDivert.pdbH source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmp
                        Source: Binary string: pC:\Program Files\KMSpico\AutoPico.PDB@ source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: protobuf-net.pdbSHA256}Lq source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: OindoC:\Windows\System.pdb source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: C:\Program Files\KMSpico\AutoPico.PDBp; source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B3C2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: AutoPico.PDB source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: protobuf-net.pdb source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: c:\Users\dblock\Source\CodePlex\resourcelib\trunk\Source\ResourceLib\obj\Release\Vestris.ResourceLib.pdb source: KMSpico.tmp, 0000000C.00000002.2872839221.000000000674F000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: m.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B3C2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Program Files\KMSpico\AutoPico.PDB source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: c:\divert-master\install\WDDK\amd64\WinDivert.pdb source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmp
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00452A60 FindFirstFileA,GetLastError,12_2_00452A60
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0047531C FindFirstFileA,FindNextFileA,FindClose,12_2_0047531C
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,12_2_00464158
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004985E4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,12_2_004985E4
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00462750 FindFirstFileA,FindNextFileA,FindClose,12_2_00462750
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,12_2_00463CDC
                        Source: C:\Program Files\KMSpico\UninsHs.exeCode function: 16_2_00401C98 FindFirstFileA,MessageBoxA,RtlZeroMemory,7558D0A0,16_2_00401C98
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov eax, ebx22_2_00425800
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 5F115B3Dh22_2_0044F1C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]22_2_0044C2C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+6Eh]22_2_0041C281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [eax], cx22_2_0041C281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+2D625574h]22_2_00423B00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then add edi, 02h22_2_0041B470
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+50h]22_2_00445ED0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edx+ebx*8], 744E5843h22_2_0044A050
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]22_2_00402800
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx eax, byte ptr [esp+edi-1D950A4Ch]22_2_0040C880
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp+08h], esi22_2_0044E8B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, word ptr [ecx]22_2_0044E8B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+17A26B3Eh]22_2_00431960
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx eax, di22_2_00431960
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+565E2674h]22_2_0041090F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp ecx22_2_004339DE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-5F5D8690h]22_2_004311F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp+3Ch], 00000800h22_2_004311F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]22_2_004359A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl22_2_00424259
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax]22_2_00447A69
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [eax], cl22_2_0041FA04
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-0000009Ah]22_2_0044B21F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov ecx, ebx22_2_00407A30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]22_2_0040A2B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]22_2_0040A2B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], esi22_2_0044E2B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [eax], dx22_2_00424B40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov ecx, dword ptr [00460F40h]22_2_0044C31D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl22_2_0043A382
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax]22_2_00447B8F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx]22_2_00447B8F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl22_2_00439BA3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movsx ecx, byte ptr [esi+eax]22_2_0041B3A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-52h]22_2_0044CBA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-27D1E72Ah]22_2_0044BC57
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+6Eh]22_2_0041C281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [eax], cx22_2_0041C281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl22_2_0043947F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]22_2_00437410
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl22_2_00439428
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]22_2_00446C30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]22_2_0044B4D6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-000000B2h]22_2_0040F480
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [ebx], al22_2_00438482
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl22_2_00439491
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 9F1F8F53h22_2_0044A490
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h22_2_004294B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [eax+edi]22_2_0044AD40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-19B6A066h]22_2_00421D50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-23806A32h]22_2_0042ED61
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl22_2_00439572
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [edx], al22_2_00411505
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [edx], al22_2_00411505
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov esi, eax22_2_0040B5E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx+02h]22_2_0042B610
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-0Eh]22_2_00423EEB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov edx, dword ptr [00458F2Ch]22_2_00412EB2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-69FBEFB4h]22_2_0044CF71
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [edx]22_2_004427D0

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49692 -> 104.21.32.1:443
                        Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49690 -> 104.21.32.1:443
                        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49690 -> 104.21.32.1:443
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: agriework.life
                        Source: Malware configuration extractorURLs: explorebieology.run
                        Source: Malware configuration extractorURLs: moderzysics.top
                        Source: Malware configuration extractorURLs: seedsxouts.shop
                        Source: Malware configuration extractorURLs: codxefusion.top
                        Source: Malware configuration extractorURLs: farfinable.top
                        Source: Malware configuration extractorURLs: techspherxe.top
                        Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                        Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                        Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                        Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49689 -> 149.154.167.99:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49692 -> 104.21.32.1:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49690 -> 104.21.32.1:443
                        Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                        Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                        Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                        Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                        Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                        Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00425B70 recv,22_2_00425B70
                        Source: global trafficHTTP traffic detected: GET /hyukonyas HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
                        Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIkqHLAQiKo8sBCIWgzQEI9s/OAQiA1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                        Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                        Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIkqHLAQiKo8sBCIWgzQEI9s/OAQiA1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                        Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
                        Source: chrome.exe, 0000001C.00000003.1688020772.00000F9C0146C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
                        Source: chrome.exe, 0000001C.00000003.1688020772.00000F9C0146C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
                        Source: chrome.exe, 0000001C.00000003.1718531006.00000F9C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897261896.00000F9C00580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                        Source: global trafficDNS traffic detected: DNS query: c.pki.goog
                        Source: global trafficDNS traffic detected: DNS query: t.me
                        Source: global trafficDNS traffic detected: DNS query: 69.170.12.0.in-addr.arpa
                        Source: global trafficDNS traffic detected: DNS query: agriework.life
                        Source: global trafficDNS traffic detected: DNS query: www.google.com
                        Source: global trafficDNS traffic detected: DNS query: apis.google.com
                        Source: global trafficDNS traffic detected: DNS query: play.google.com
                        Source: global trafficDNS traffic detected: DNS query: beacons.gcp.gvt2.com
                        Source: global trafficDNS traffic detected: DNS query: beacons.gvt2.com
                        Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: agriework.life
                        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 20:08:58 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=amlJpDoSHCGHVu9ukyPemAO6ASDXGlP9PC6JXtYq92y2LQvoSRmzqVG7VAojk%2FydXcq%2BsvqyYfuOQvwcp79ZTWZAzcizAbL3y44nhK3g9F4JZ7GWUeZwQ1O0vIgVZIj3dA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ccba5699d422fa-ORD
                        Source: core.exe, 0000000A.00000000.1322050546.000000000170F000.00000002.00000001.01000000.0000000D.sdmp, core.exe, 0000000A.00000002.1570402025.000000000170F000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: ftp://.mode
                        Source: svchost.exe, 0000001B.00000002.2872171453.000001F730713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Port.NET/
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://bugreports.qt.io/
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://bugreports.qt.io/Microsoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocket_q_recei
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ccsca2021.ocsp-certum.com05
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2902176515.00000F9C011C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clientservices.googleapis.com/uma/v2
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                        Source: svchost.exe, 00000002.00000002.2876597625.0000021D78800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2871001767.000001F7306CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgyNjAt
                        Source: chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/ac6ci5mwrvihfwmuttvglzv6q75a_2024.11.26.0/mcfjlbnicoc
                        Source: chrome.exe, 0000001C.00000002.2894422823.00000F9C00004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemjh
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihi
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglejhemejginpboa
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjkmgdlgnkkcocm
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpng
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/kiabhabjdbkj
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/aqycho6ebjt4lkm75dietvcqni_3064/jflookgnkcckhobaglndi
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncanleaf
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/enxt4hdqszsa7we25gsgbrvite_1244/efniojlnjndmcbiieegki
                        Source: chrome.exe, 0000001C.00000002.2894422823.00000F9C00004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/g4icseal3vuw2domlzotcgpnhi_2/hajigopbbjhghbfimgkfmpen
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/gdvqsmkcx3f432ddub4xttw5lm_9597/hfnkpimlhhgieaddgfemj
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcji
                        Source: chrome.exe, 0000001C.00000002.2898279938.00000F9C0088C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/inc4skbz6ysglh4mhehkajf2mq_20250226.732734858.14/obed
                        Source: chrome.exe, 0000001C.00000002.2894422823.00000F9C00004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkhlaaea
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pkomkdjpmjfbkg
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0/niikhdgajlphfe
                        Source: chrome.exe, 0000001C.00000002.2901709117.00000F9C01080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
                        Source: svchost.exe, 0000001B.00000002.2874315298.000001F730F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: svchost.exe, 0000001B.00000002.2873374190.000001F730F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsecuri
                        Source: svchost.exe, 0000001B.00000003.1630543946.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2874468401.000001F730F7C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2874315298.000001F730F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: svchost.exe, 0000001B.00000002.2873374190.000001F730F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd.0.xs
                        Source: svchost.exe, 0000001B.00000003.1596515592.000001F730F32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: svchost.exe, 00000002.00000002.2877452963.0000021D788D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00
                        Source: chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebnd
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglej
                        Source: svchost.exe, 00000002.00000002.2873652626.0000021D73B02000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjk
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adp7vwwbn24nerlkdq3gj6auhcka_2025.3.6.1/j
                        Source: chrome.exe, 0000001C.00000002.2898279938.00000F9C0088C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.23
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/aqycho6ebjt4lkm75dietvcqni_3064/jflookgnk
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/enxt4hdqszsa7we25gsgbrvite_1244/efniojlnj
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/g4icseal3vuw2domlzotcgpnhi_2/hajigopbbjhg
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/gdvqsmkcx3f432ddub4xttw5lm_9597/hfnkpimlh
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/nei
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbog
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pk
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0/ni
                        Source: svchost.exe, 00000002.00000002.2877962422.0000021D78913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gc
                        Source: svchost.exe, 00000002.00000002.2877104000.0000021D78893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80fs/windows/config.json
                        Source: svchost.exe, 00000002.00000003.1203547760.0000021D78670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000002.2881097138.000000001B542000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://fontawesome.iohttp://fontawesome.io/license/Webfont
                        Source: AutoPico.exe, 00000015.00000002.1653298013.0000000001011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://forums.myd
                        Source: AutoPico.exe, 00000015.00000002.1653298013.0000000001011000.00000004.00000800.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1653298013.0000000001098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://forums.mydigitallife.info/forums/51-KMS-tools
                        Source: chrome.exe, 0000001C.00000002.2894737049.00000F9C00096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ocsp.digicert.com0P
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ocsp.thawte.com0
                        Source: svchost.exe, 0000001B.00000002.2870040830.000001F730686000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS0
                        Source: chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.cr
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
                        Source: svchost.exe, 0000001B.00000002.2873374190.000001F730F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: svchost.exe, 0000001B.00000002.2873978400.000001F730F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: svchost.exe, 0000001B.00000003.1898913751.000001F73165C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2873695838.000001F730F13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2874315298.000001F730F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                        Source: svchost.exe, 0000001B.00000002.2873978400.000001F730F37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2874315298.000001F730F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: svchost.exe, 0000001B.00000002.2874315298.000001F730F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicy
                        Source: svchost.exe, 0000001B.00000002.2873695838.000001F730F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scmain
                        Source: svchost.exe, 0000001B.00000002.2873978400.000001F730F37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2874315298.000001F730F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73067E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: svchost.exe, 0000001B.00000002.2874315298.000001F730F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: svchost.exe, 0000001B.00000002.2874315298.000001F730F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: svchost.exe, 0000001B.00000002.2873695838.000001F730F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustsrf
                        Source: core.exe, 0000000A.00000002.1573432475.00000000042DE000.00000004.00000800.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000002.2873136648.00000000026E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com02
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com05
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                        Source: svchost.exe, 00000003.00000002.1364525867.000001C519613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000002.2881097138.000000001B542000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://www.devcomponents.com
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000002.2881097138.000000001B542000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://www.devcomponents.com/dotnetbar/order.html
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000002.2881097138.000000001B542000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://www.devcomponents.comAmailto:support
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000002.2881097138.000000001B542000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://www.devcomponents.comKSystem.Windows.Forms.ContextMenuStrip
                        Source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgy
                        Source: chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppe
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnn
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglejhemejgin
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjkmgdlgnkk
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eei
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/kiabhabj
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/aqycho6ebjt4lkm75dietvcqni_3064/jflookgnkcckhobag
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncan
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/enxt4hdqszsa7we25gsgbrvite_1244/efniojlnjndmcbiie
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/g4icseal3vuw2domlzotcgpnhi_2/hajigopbbjhghbfimgkf
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/gdvqsmkcx3f432ddub4xttw5lm_9597/hfnkpimlhhgieaddg
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindgg
                        Source: chrome.exe, 0000001C.00000002.2894422823.00000F9C00004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkhl
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pkomkdjpmj
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0/niikhdgajl
                        Source: KMSpico.tmp, KMSpico.tmp, 0000000C.00000002.2864633251.0000000000401000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.innosetup.com/
                        Source: KMSpico.exe, KMSpico.exe, 00000008.00000000.1272344106.0000000000401000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                        Source: KMSpico.exe, 00000008.00000000.1272344106.0000000000401000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.phreedom.org/md5)
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.phreedom.org/md5)08:27
                        Source: KMSpico.exe, 00000008.00000003.1286194771.0000000002330000.00000004.00001000.00020000.00000000.sdmp, KMSpico.exe, 00000008.00000003.1290387178.0000000001F88000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, KMSpico.tmp, 0000000C.00000002.2864633251.0000000000401000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.remobjects.com/ps
                        Source: KMSpico.exe, 00000008.00000003.1286194771.0000000002330000.00000004.00001000.00020000.00000000.sdmp, KMSpico.exe, 00000008.00000003.1290387178.0000000001F88000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2864633251.0000000000401000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.remobjects.com/psU
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces
                        Source: core.exe, 0000000A.00000000.1322050546.00000000018D3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                        Source: svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502igning
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590130108.000001F730F2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                        Source: svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806014
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601
                        Source: svchost.exe, 0000001B.00000002.2869127682.000001F73062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                        Source: svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600%
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591856594.000001F730F57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/
                        Source: chrome.exe, 0000001C.00000002.2897730697.00000F9C00730000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758650677.00000F9C01B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758566936.00000F9C01B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758777073.00000F9C01B3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1759326883.00000F9C01B60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897879533.00000F9C00788000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758881004.00000F9C01B40000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758357063.00000F9C01B24000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758716980.00000F9C01B38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com
                        Source: chrome.exe, 0000001C.00000003.1758650677.00000F9C01B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758566936.00000F9C01B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758777073.00000F9C01B3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1759326883.00000F9C01B60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758881004.00000F9C01B40000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758357063.00000F9C01B24000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758716980.00000F9C01B38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/windows
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/samlredirect
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
                        Source: chrome.exe, 0000001C.00000002.2897730697.00000F9C00730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com:443
                        Source: MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agriework.life/api
                        Source: MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agriework.life/apiP
                        Source: chrome.exe, 0000001C.00000003.1983712615.00000F9C01F00000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847147417.00000F9C01F34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
                        Source: chrome.exe, 0000001C.00000002.2902801371.00000F9C012E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                        Source: core.exe, 0000000A.00000002.1570402025.000000000170F000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://bugreports.qt-project.org.
                        Source: core.exe, 0000000A.00000000.1322050546.000000000170F000.00000002.00000001.01000000.0000000D.sdmp, core.exe, 0000000A.00000002.1570402025.000000000170F000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://bugreports.qt-project.org.The
                        Source: chrome.exe, 0000001C.00000003.1718162468.00000F9C0148C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com
                        Source: chrome.exe, 0000001C.00000002.2900222522.00000F9C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2903241767.00000F9C013D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899650565.00000F9C00B3C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
                        Source: chrome.exe, 0000001C.00000003.1718395884.00000F9C0157C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
                        Source: chrome.exe, 0000001C.00000002.2904658563.00000F9C017B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2901043215.00000F9C00E5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2900815250.00000F9C00DF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
                        Source: chrome.exe, 0000001C.00000003.1718395884.00000F9C0157C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
                        Source: chrome.exe, 0000001C.00000003.1666711108.00000F9800504000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1721933863.00000F9C01A5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
                        Source: chrome.exe, 0000001C.00000003.1666711108.00000F9800504000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1721933863.00000F9C01A5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
                        Source: chrome.exe, 0000001C.00000002.2897915803.00000F9C007A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
                        Source: chrome.exe, 0000001C.00000002.2897915803.00000F9C007A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/extensions
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/themes
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://classroom.googleapis.com/
                        Source: chrome.exe, 0000001C.00000002.2895378720.00000F9C00180000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync/event
                        Source: chrome.exe, 0000001C.00000003.2472924178.00000F9C004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2902176515.00000F9C011C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2392244025.00000F9C02229000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clientservices.googleapis.com/uma/v2
                        Source: chrome.exe, 0000001C.00000002.2885116416.000002C43DF3D000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1
                        Source: chrome.exe, 0000001C.00000002.2885116416.000002C43DF3D000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1Cache-Control:
                        Source: chrome.exe, 0000001C.00000002.2898279938.00000F9C0088C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1
                        Source: chrome.exe, 0000001C.00000002.2895286489.00000F9C00164000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1Content-Type:
                        Source: chrome.exe, 0000001C.00000002.2896760537.00000F9C00440000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2905508391.00000F9C01908000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
                        Source: chrome.exe, 0000001C.00000002.2885116416.000002C43DF3D000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/asuacrsguc:50:0
                        Source: chrome.exe, 0000001C.00000002.2885116416.000002C43DF3D000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/asuacrsguc:50:0
                        Source: chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2904658563.00000F9C017B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2885116416.000002C43DF3D000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/asuacrsguc:50:0Cross-Origin-Opener-Policy-Report-Only:
                        Source: svchost.exe, 00000003.00000003.1363894944.000001C519658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364746025.000001C519659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                        Source: svchost.exe, 00000003.00000002.1364786708.000001C519663000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364847499.000001C519681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363618093.000001C519662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363673547.000001C51965F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814911.000001C51965A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                        Source: svchost.exe, 00000003.00000002.1364847499.000001C519681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                        Source: svchost.exe, 00000003.00000002.1364806996.000001C519668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363590595.000001C519667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                        Source: svchost.exe, 00000003.00000002.1364847499.000001C519681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                        Source: svchost.exe, 00000003.00000002.1364681200.000001C51963F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364786708.000001C519663000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363618093.000001C519662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814911.000001C51965A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                        Source: svchost.exe, 00000003.00000002.1364806996.000001C519668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363590595.000001C519667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364576322.000001C51962B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                        Source: svchost.exe, 00000003.00000002.1364681200.000001C51963F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364786708.000001C519663000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363618093.000001C519662000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                        Source: svchost.exe, 00000003.00000002.1364786708.000001C519663000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363618093.000001C519662000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgyNjA
                        Source: chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/ac6ci5mwrvihfwmuttvglzv6q75a_2024.11.26.0/mcfjlbnico
                        Source: chrome.exe, 0000001C.00000002.2894422823.00000F9C00004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemj
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkih
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglejhemejginpbo
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjkmgdlgnkkcoc
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpn
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/kiabhabjdbk
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/aqycho6ebjt4lkm75dietvcqni_3064/jflookgnkcckhobaglnd
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncanlea
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/enxt4hdqszsa7we25gsgbrvite_1244/efniojlnjndmcbiieegk
                        Source: chrome.exe, 0000001C.00000002.2894422823.00000F9C00004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/g4icseal3vuw2domlzotcgpnhi_2/hajigopbbjhghbfimgkfmpe
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/gdvqsmkcx3f432ddub4xttw5lm_9597/hfnkpimlhhgieaddgfem
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcj
                        Source: chrome.exe, 0000001C.00000002.2898279938.00000F9C0088C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/inc4skbz6ysglh4mhehkajf2mq_20250226.732734858.14/obe
                        Source: chrome.exe, 0000001C.00000002.2894422823.00000F9C00004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkhlaae
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pkomkdjpmjfbk
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0/niikhdgajlphf
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
                        Source: chrome.exe, 0000001C.00000003.1718531006.00000F9C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897261896.00000F9C00580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
                        Source: chrome.exe, 0000001C.00000002.2900222522.00000F9C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2903241767.00000F9C013D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899650565.00000F9C00B3C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
                        Source: chrome.exe, 0000001C.00000002.2900222522.00000F9C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2903241767.00000F9C013D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899650565.00000F9C00B3C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/:
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/J
                        Source: chrome.exe, 0000001C.00000003.1718531006.00000F9C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897261896.00000F9C00580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
                        Source: chrome.exe, 0000001C.00000002.2900222522.00000F9C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2903241767.00000F9C013D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899650565.00000F9C00B3C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
                        Source: chrome.exe, 0000001C.00000003.1718531006.00000F9C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897261896.00000F9C00580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
                        Source: chrome.exe, 0000001C.00000002.2900222522.00000F9C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2903241767.00000F9C013D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899650565.00000F9C00B3C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
                        Source: chrome.exe, 0000001C.00000003.1718531006.00000F9C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897261896.00000F9C00580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
                        Source: svchost.exe, 00000003.00000003.1363873832.000001C51964B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364057048.000001C519632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                        Source: svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                        Source: svchost.exe, 00000003.00000002.1364786708.000001C519663000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363618093.000001C519662000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                        Source: svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
                        Source: svchost.exe, 00000003.00000002.1364806996.000001C519668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363590595.000001C519667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364576322.000001C51962B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                        Source: chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.cr
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebn
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelgle
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adp7vwwbn24nerlkdq3gj6auhcka_2025.3.6.1/
                        Source: chrome.exe, 0000001C.00000002.2898279938.00000F9C0088C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.2
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/aqycho6ebjt4lkm75dietvcqni_3064/jflookgn
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/enxt4hdqszsa7we25gsgbrvite_1244/efniojln
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/g4icseal3vuw2domlzotcgpnhi_2/hajigopbbjh
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/gdvqsmkcx3f432ddub4xttw5lm_9597/hfnkpiml
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/ne
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbo
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/p
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0/n
                        Source: chrome.exe, 0000001C.00000003.1719289883.00000F9C016BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fonts.google.com/icons?selected=Material
                        Source: svchost.exe, 00000002.00000003.1203547760.0000021D786C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                        Source: svchost.exe, 00000002.00000003.1203547760.0000021D78670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1719548506.00000F9C0165C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic/intro?20
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1719548506.00000F9C0165C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic2
                        Source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                        Source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                        Source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
                        Source: chrome.exe, 0000001C.00000002.2894422823.00000F9C00004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1721720652.00000F9C019A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs2e
                        Source: KMSpico.exe, 00000000.00000000.998434562.0000000000A41000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                        Source: chrome.exe, 0000001C.00000002.2904390879.00000F9C01744000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899893969.00000F9C00BC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
                        Source: chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search?source=ntp
                        Source: chrome.exe, 0000001C.00000003.1718162468.00000F9C0148C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/gen204
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live
                        Source: svchost.exe, 0000001B.00000002.2870040830.000001F730686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80600
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80601
                        Source: svchost.exe, 0000001B.00000003.1592049892.000001F730F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1595683068.000001F730F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502Auth
                        Source: svchost.exe, 0000001B.00000003.1592049892.000001F730F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1595683068.000001F730F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600line
                        Source: svchost.exe, 0000001B.00000003.1592049892.000001F730F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590130108.000001F730F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601p
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfr.srf
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfP
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srfx
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                        Source: svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfrf?id=80
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfin.sr
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf/inlinesign
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfom/ppse
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                        Source: svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                        Source: svchost.exe, 0000001B.00000003.1592049892.000001F730F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf/login.li
                        Source: svchost.exe, 0000001B.00000003.1592049892.000001F730F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590130108.000001F730F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfnup.liv
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                        Source: svchost.exe, 0000001B.00000002.2869127682.000001F73062B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                        Source: svchost.exe, 0000001B.00000002.2869127682.000001F73062B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                        Source: svchost.exe, 0000001B.00000003.1592049892.000001F730F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1595683068.000001F730F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfhttps://lo
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                        Source: svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                        Source: svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805021
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                        Source: svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600J
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                        Source: svchost.exe, 0000001B.00000002.2869127682.000001F73062B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                        Source: svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591856594.000001F730F57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&amp;fid=cp
                        Source: svchost.exe, 0000001B.00000003.1590577659.000001F730F5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590130108.000001F730F2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                        Source: svchost.exe, 0000001B.00000003.1590130108.000001F730F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590811363.000001F730F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1592242191.000001F730F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfPAdd
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                        Source: svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                        Source: svchost.exe, 0000001B.00000003.1591797626.000001F730F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590366599.000001F73064E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                        Source: svchost.exe, 0000001B.00000002.2869127682.000001F73062B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                        Source: svchost.exe, 0000001B.00000002.2870442908.000001F7306AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                        Source: svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
                        Source: svchost.exe, 0000001B.00000003.1590445990.000001F730F10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                        Source: svchost.exe, 0000001B.00000003.1591962110.000001F730F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                        Source: svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srfie
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devi
                        Source: svchost.exe, 0000001B.00000003.1590445990.000001F730F10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                        Source: svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                        Source: svchost.exe, 0000001B.00000003.1590445990.000001F730F10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                        Source: svchost.exe, 0000001B.00000003.1590445990.000001F730F10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://m.google.com/devicemanagement/data/api
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2901908235.00000F9C0110C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/:
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/J
                        Source: chrome.exe, 0000001C.00000002.2895378720.00000F9C00180000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2901448474.00000F9C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
                        Source: chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
                        Source: chrome.exe, 0000001C.00000003.1718531006.00000F9C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897261896.00000F9C00580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
                        Source: chrome.exe, 0000001C.00000002.2900492797.00000F9C00D4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
                        Source: chrome.exe, 0000001C.00000002.2899029972.00000F9C009E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
                        Source: chrome.exe, 0000001C.00000002.2899029972.00000F9C009E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
                        Source: chrome.exe, 0000001C.00000002.2901177080.00000F9C00ED4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899029972.00000F9C009E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
                        Source: chrome.exe, 0000001C.00000003.1687456390.00000F9C011AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://myactivity.google.com/
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
                        Source: chrome.exe, 0000001C.00000003.1983712615.00000F9C01F00000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847147417.00000F9C01F34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogads-pa.googleapis.com
                        Source: chrome.exe, 0000001C.00000002.2904658563.00000F9C017B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2904621260.00000F9C0179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2887211879.000002C44177D000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://ogs.google.com
                        Source: chrome.exe, 0000001C.00000003.1983712615.00000F9C01F00000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847147417.00000F9C01F34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
                        Source: chrome.exe, 0000001C.00000003.1983712615.00000F9C01F00000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847147417.00000F9C01F34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?eom=1
                        Source: chrome.exe, 0000001C.00000002.2905405044.00000F9C018F1000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2901709117.00000F9C01080000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269841662.00000F9C01FA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2902952102.00000F9C01324000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
                        Source: chrome.exe, 0000001C.00000002.2907274009.00000F9C0215D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2905405044.00000F9C018F1000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2902994932.00000F9C01350000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269841662.00000F9C01FA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2907153195.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2059493950.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269248966.00000F9C02124000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
                        Source: chrome.exe, 0000001C.00000002.2905890310.00000F9C01C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269841662.00000F9C01FA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2907153195.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2059493950.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269248966.00000F9C02124000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728324084&target=OPTIMIZATION_TARGET_OMN
                        Source: chrome.exe, 0000001C.00000002.2905890310.00000F9C01C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269841662.00000F9C01FA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2907153195.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2059493950.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269248966.00000F9C02124000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808228&target=OPTIMIZATION_TARGET_GEO
                        Source: chrome.exe, 0000001C.00000002.2905890310.00000F9C01C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269841662.00000F9C01FA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2902952102.00000F9C01324000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808249&target=OPTIMIZATION_TARGET_NOT
                        Source: chrome.exe, 0000001C.00000002.2905405044.00000F9C018F1000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2901709117.00000F9C01080000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269841662.00000F9C01FA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2907153195.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2059493950.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269248966.00000F9C02124000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739894676&target=OPTIMIZATION_TARGET_CLI
                        Source: chrome.exe, 0000001C.00000002.2907274009.00000F9C0215D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2905405044.00000F9C018F1000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2898029879.00000F9C007DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2905890310.00000F9C01C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2907230497.00000F9C0213C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269841662.00000F9C01FA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2907153195.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269248966.00000F9C02124000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042075&target=OPTIMIZATION_TARGET_S
                        Source: chrome.exe, 0000001C.00000002.2905405044.00000F9C018F1000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2901709117.00000F9C01080000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269841662.00000F9C01FA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2907153195.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2059493950.00000F9C02124000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.2269248966.00000F9C02124000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
                        Source: chrome.exe, 0000001C.00000002.2902030934.00000F9C01164000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetModels?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
                        Source: chrome.exe, 0000001C.00000003.1718162468.00000F9C0148C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/calendar/
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://passwords.google.comSaved
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://people.googleapis.com/
                        Source: chrome.exe, 0000001C.00000003.1687456390.00000F9C011AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://policies.google.com/
                        Source: chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://redirector.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.c
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2900815250.00000F9C00DF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comb
                        Source: svchost.exe, 0000001B.00000002.2869127682.000001F73062B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591913130.000001F730F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1591739648.000001F730F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1590130108.000001F730F2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2869350486.000001F730640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                        Source: chrome.exe, 0000001C.00000002.2904390879.00000F9C01744000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899893969.00000F9C00BC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
                        Source: chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
                        Source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1573432475.00000000042DE000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://support.google.com/chrome/answer/96817
                        Source: chrome.exe, 0000001C.00000003.2058999320.00000F9C0054C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897224409.00000F9C00558000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1719754439.00000F9C0054C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
                        Source: MSBuild.exe, 00000016.00000002.2864862304.00000000012FB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://t.me/hyukonyas
                        Source: MSBuild.exe, 00000016.00000002.2866573001.0000000001566000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/jp
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363873832.000001C51964B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dyn
                        Source: svchost.exe, 00000003.00000003.1364057048.000001C519632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic
                        Source: svchost.exe, 00000003.00000003.1364057048.000001C519632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.til
                        Source: svchost.exe, 00000003.00000003.1364057048.000001C519632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualeaPTc
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                        Source: svchost.exe, 00000003.00000003.1363873832.000001C51964B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363873832.000001C51964B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363894944.000001C519658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364746025.000001C519659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                        Source: svchost.exe, 00000003.00000003.1363712460.000001C51965D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                        Source: svchost.exe, 00000003.00000002.1364576322.000001C51962B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                        Source: svchost.exe, 00000003.00000003.1363851587.000001C519641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364704148.000001C519642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                        Source: chrome.exe, 0000001C.00000002.2895878548.00000F9C00238000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tasks.googleapis.com/
                        Source: svchost.exe, 00000003.00000003.1363894944.000001C519658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364746025.000001C519659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                        Source: KMSpico.tmp, 00000001.00000002.1338197228.00000000003CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                        Source: chrome.exe, 0000001C.00000003.1757646833.00000F9C01AA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758278411.00000F9C01B14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
                        Source: chrome.exe, 0000001C.00000003.1718395884.00000F9C0157C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2901043215.00000F9C00E5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2902141972.00000F9C011B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2902521773.00000F9C01278000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2901908235.00000F9C0110C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                        Source: chrome.exe, 0000001C.00000002.2904390879.00000F9C01744000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-features/
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-tools/
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1719548506.00000F9C0165C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1721933863.00000F9C01A5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
                        Source: chrome.exe, 0000001C.00000002.2880960699.000002C43C9C0000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTg
                        Source: chrome.exe, 0000001C.00000002.2903829969.00000F9C0152C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmpp
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcn
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglejhemejgi
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjkmgdlgnk
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/kiabhab
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/aqycho6ebjt4lkm75dietvcqni_3064/jflookgnkcckhoba
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocnca
                        Source: chrome.exe, 0000001C.00000002.2895035702.00000F9C0010C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/enxt4hdqszsa7we25gsgbrvite_1244/efniojlnjndmcbii
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/g4icseal3vuw2domlzotcgpnhi_2/hajigopbbjhghbfimgk
                        Source: chrome.exe, 0000001C.00000002.2898674960.00000F9C00950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/gdvqsmkcx3f432ddub4xttw5lm_9597/hfnkpimlhhgieadd
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindg
                        Source: chrome.exe, 0000001C.00000002.2894422823.00000F9C00004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkh
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pkomkdjpm
                        Source: chrome.exe, 0000001C.00000002.2898991572.00000F9C009CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0/niikhdgaj
                        Source: chrome.exe, 0000001C.00000002.2900627038.00000F9C00DC6000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2896471817.00000F9C003E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                        Source: chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
                        Source: chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847147417.00000F9C01F34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1719548506.00000F9C0165C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1721720652.00000F9C019A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1721658396.00000F9C01994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1721933863.00000F9C01A5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
                        Source: chrome.exe, 0000001C.00000003.1718531006.00000F9C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897261896.00000F9C00580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
                        Source: chrome.exe, 0000001C.00000003.1720605072.00000F9800624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
                        Source: chrome.exe, 0000001C.00000003.1757646833.00000F9C01AA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758278411.00000F9C01B14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
                        Source: chrome.exe, 0000001C.00000003.1757646833.00000F9C01AA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1758278411.00000F9C01B14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                        Source: chrome.exe, 0000001C.00000002.2898029879.00000F9C007DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
                        Source: chrome.exe, 0000001C.00000003.1846945215.00000F9C01F58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1846854540.00000F9C015D4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
                        Source: chrome.exe, 0000001C.00000003.1847258225.00000F9C0191C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1846945215.00000F9C01F58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1846854540.00000F9C015D4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
                        Source: chrome.exe, 0000001C.00000003.1983712615.00000F9C01F00000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847147417.00000F9C01F34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.WcyoQrvsWY0.2019.O/rt=j/m=q_dnp
                        Source: chrome.exe, 0000001C.00000003.1983712615.00000F9C01F00000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847000081.00000F9C01440000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1847147417.00000F9C01F34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.L8bgMGq1rcI.L.W.O/m=qmd
                        Source: KMSpico.exe, 00000000.00000003.1004253630.000000007EC8B000.00000004.00001000.00020000.00000000.sdmp, KMSpico.exe, 00000000.00000003.1001850638.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 00000001.00000000.1006465566.0000000000E11000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.innosetup.com/
                        Source: KMSpico.exe, 00000000.00000003.1004253630.000000007EC8B000.00000004.00001000.00020000.00000000.sdmp, KMSpico.exe, 00000000.00000003.1001850638.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 00000001.00000000.1006465566.0000000000E11000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.remobjects.com/ps
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
                        Source: chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
                        Source: chrome.exe, 0000001C.00000003.1718531006.00000F9C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2899257371.00000F9C00A4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000001C.00000002.2897261896.00000F9C00580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                        Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49689 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49690 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49692 version: TLS 1.2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004405C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,22_2_004405C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004405C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,22_2_004405C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004411ED GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,22_2_004411ED
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\driver\is-EHRL3.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\driver\is-CTDHU.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\driver\OpenVPN.cer (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\driver\certELDI.pfx (copy)Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004239C0 CreateDesktopW,22_2_004239C0
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0042F520 NtdllDefWindowProc_A,12_2_0042F520
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00423B84 NtdllDefWindowProc_A,12_2_00423B84
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004125D8 NtdllDefWindowProc_A,12_2_004125D8
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00478E54 NtdllDefWindowProc_A,12_2_00478E54
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,12_2_00457594
                        Source: C:\Program Files\KMSpico\UninsHs.exeCode function: 16_2_00401000 BeginPaint,GetStockObject,SelectObject,Rectangle,MoveToEx,LineTo,MoveToEx,LineTo,CreatePen,SelectObject,DeleteObject,MoveToEx,LineTo,MoveToEx,LineTo,SelectObject,DeleteObject,LoadBitmapA,SelectObject,ExitProcess,DeleteDC,DeleteObject,wsprintfA,SelectObject,SetBkColor,DrawTextA,SelectObject,SetBkColor,DrawTextA,LoadIconA,DrawIcon,LoadIconA,DrawIcon,LoadIconA,DrawIcon,GetSysColor,SetBkColor,DrawTextA,DrawTextA,DrawTextA,GetSysColor,SetBkColor,DrawTextA,GetSysColor,SetBkColor,DrawTextA,SelectObject,CreateFontA,CreateWindowExA,SendMessageA,CreateWindowExA,SendMessageA,CreateWindowExA,SendMessageA,CreateFontA,CreateWindowExA,SendMessageA,SetFocus,CreateWindowExA,SendMessageA,SetFocus,CreateWindowExA,SendMessageA,SetFocus,SetTimer,SendMessageA,GetClientRect,ShowWindow,ShowWindow,ShowWindow,ShowWindow,InvalidateRect,lstrcpy,wsprintfA,lstrcpy,ShowWindow,ShowWindow,ShowWindow,wsprintfA,WinExec,ShowWindow,wsprintfA,GetStartupInfoA,InvalidateRect,CloseHandle,EnableWindow,SetWindowTextA,InvalidateRect,ShowWindow,WinExec,InvalidateRect,SendMessageA,SetFocus,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,EnableWindow,GetClientRect,InvalidateRect,DeleteObject,DeleteObject,KillTimer,PostQuitMessage,NtdllDefWindowProc_A,16_2_00401000
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,12_2_0042E934
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,8_2_00409448
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,12_2_004555E4
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Windows\system32\is-95P9D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Windows\system32\is-N17B1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile deleted: C:\Windows\System32\Vestris.ResourceLib.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_0040840C8_2_0040840C
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_038F048110_2_038F0481
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_038F000010_2_038F0000
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_068A20C010_2_068A20C0
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_068AF2A010_2_068AF2A0
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_068A1A7710_2_068A1A77
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_068A222510_2_068A2225
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_068A20AF10_2_068A20AF
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_068AB3EE10_2_068AB3EE
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_068AB3F810_2_068AB3F8
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_068AB98810_2_068AB988
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_0790F96010_2_0790F960
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_0790E37810_2_0790E378
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_078F002610_2_078F0026
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_078F004010_2_078F0040
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004707F812_2_004707F8
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00480DD312_2_00480DD3
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004673A412_2_004673A4
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0043035C12_2_0043035C
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0048E36012_2_0048E360
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004444C812_2_004444C8
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004345C412_2_004345C4
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00444A7012_2_00444A70
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00430EE812_2_00430EE8
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00486FAC12_2_00486FAC
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0045F0C412_2_0045F0C4
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0044516812_2_00445168
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0045B17412_2_0045B174
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004352C812_2_004352C8
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0046942012_2_00469420
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0044557412_2_00445574
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004519BC12_2_004519BC
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0043DD5012_2_0043DD50
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00487F0C12_2_00487F0C
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F8249320_2_00007FFB99F82493
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99FD890820_2_00007FFB99FD8908
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F9076020_2_00007FFB99F90760
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F9077020_2_00007FFB99F90770
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F907B520_2_00007FFB99F907B5
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F84E8F20_2_00007FFB99F84E8F
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F81AF020_2_00007FFB99F81AF0
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F8F11020_2_00007FFB99F8F110
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F9074020_2_00007FFB99F90740
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F9076820_2_00007FFB99F90768
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F9078820_2_00007FFB99F90788
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F80FD120_2_00007FFB99F80FD1
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB99F80FF820_2_00007FFB99F80FF8
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB9A14062920_2_00007FFB9A140629
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB9A28779120_2_00007FFB9A287791
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB9A298CB520_2_00007FFB9A298CB5
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB9A2924EC20_2_00007FFB9A2924EC
                        Source: C:\Program Files\KMSpico\KMSELDI.exeCode function: 20_2_00007FFB9A283A1F20_2_00007FFB9A283A1F
                        Source: C:\Program Files\KMSpico\AutoPico.exeCode function: 21_2_00007FFB99FA9FF221_2_00007FFB99FA9FF2
                        Source: C:\Program Files\KMSpico\AutoPico.exeCode function: 21_2_00007FFB99FAAD6E21_2_00007FFB99FAAD6E
                        Source: C:\Program Files\KMSpico\AutoPico.exeCode function: 21_2_00007FFB99FA159821_2_00007FFB99FA1598
                        Source: C:\Program Files\KMSpico\AutoPico.exeCode function: 21_2_00007FFB99FABA3021_2_00007FFB99FABA30
                        Source: C:\Program Files\KMSpico\AutoPico.exeCode function: 21_2_00007FFB99FA924621_2_00007FFB99FA9246
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042580022_2_00425800
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041E0A322_2_0041E0A3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044F1C022_2_0044F1C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041C28122_2_0041C281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00449AA022_2_00449AA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00425B7022_2_00425B70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040BB9022_2_0040BB90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041B47022_2_0041B470
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041E4EE22_2_0041E4EE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004164A722_2_004164A7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040ED5022_2_0040ED50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042652022_2_00426520
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044BDCB22_2_0044BDCB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00445ED022_2_00445ED0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040104022_2_00401040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044D84022_2_0044D840
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044A05022_2_0044A050
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042A01022_2_0042A010
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043502022_2_00435020
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042B03022_2_0042B030
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044D8C022_2_0044D8C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004220CA22_2_004220CA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042E0E022_2_0042E0E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004200E722_2_004200E7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041E0F322_2_0041E0F3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040C88022_2_0040C880
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042E89022_2_0042E890
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044E8B022_2_0044E8B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043196022_2_00431960
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042010022_2_00420100
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041812022_2_00418120
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004311F822_2_004311F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043098022_2_00430980
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043118022_2_00431180
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042A9B022_2_0042A9B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042425922_2_00424259
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044527022_2_00445270
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044320A22_2_0044320A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042623022_2_00426230
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004172CB22_2_004172CB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004332ED22_2_004332ED
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00408AF022_2_00408AF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004402F022_2_004402F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040A2B022_2_0040A2B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044E2B022_2_0044E2B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00424B4022_2_00424B40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00402B3022_2_00402B30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00445B3022_2_00445B30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004133D222_2_004133D2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043A38222_2_0043A382
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00447B8F22_2_00447B8F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00439BA322_2_00439BA3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041C28122_2_0041C281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043942822_2_00439428
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00427C3022_2_00427C30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00446C3022_2_00446C30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00434CC722_2_00434CC7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004254D022_2_004254D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044B4D622_2_0044B4D6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004454D022_2_004454D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004094E022_2_004094E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040F48022_2_0040F480
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043949122_2_00439491
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044A49022_2_0044A490
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004294B022_2_004294B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044DCB022_2_0044DCB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00430D4022_2_00430D40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040C55022_2_0040C550
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00421D5022_2_00421D50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040356022_2_00403560
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0042ED6122_2_0042ED61
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043957222_2_00439572
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044D57022_2_0044D570
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00413D0022_2_00413D00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041150522_2_00411505
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043B52D22_2_0043B52D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044ED3022_2_0044ED30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004225C022_2_004225C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040B5E022_2_0040B5E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00437DE122_2_00437DE1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0040CDF022_2_0040CDF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043DDF022_2_0043DDF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043058922_2_00430589
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00410DB022_2_00410DB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043364922_2_00433649
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00437E5422_2_00437E54
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041DE7C22_2_0041DE7C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00407E1022_2_00407E10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00432E3822_2_00432E38
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004476D022_2_004476D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043A6E022_2_0043A6E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00443EAD22_2_00443EAD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0041DE7C22_2_0041DE7C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00433F5022_2_00433F50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043BF5022_2_0043BF50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00446F5022_2_00446F50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044475922_2_00444759
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00408F6022_2_00408F60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00403F0022_2_00403F00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044C70C22_2_0044C70C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043772022_2_00437720
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00431FC022_2_00431FC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_004047E222_2_004047E2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00406FE622_2_00406FE6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0043FFF022_2_0043FFF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_00431FA022_2_00431FA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044D7B022_2_0044D7B0
                        Source: Joe Sandbox ViewDropped File: C:\Program Files\KMSpico\AutoPico.exe (copy) 4A714D98CE40F5F3577C306A66CB4A6B1FF3FD01047C7F4581F8558F0BCDF5FA
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 00408C0C appears 45 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 00406AC4 appears 43 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 0040595C appears 117 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 00457F1C appears 77 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 00403400 appears 60 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 00445DD4 appears 45 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 00457D10 appears 105 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 004344DC appears 32 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 004078F4 appears 43 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 00403494 appears 83 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 00403684 appears 226 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 00453344 appears 98 times
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: String function: 004460A4 appears 59 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0041B460 appears 112 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0040B2D0 appears 51 times
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 7044 -ip 7044
                        Source: KMSpico.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                        Source: is-I4K1U.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                        Source: KMSpico.tmp.8.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                        Source: KMSpico.tmp.8.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                        Source: KMSpico.tmp.8.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                        Source: KMSpico.exeStatic PE information: Number of sections : 11 > 10
                        Source: is-I4K1U.tmp.1.drStatic PE information: Number of sections : 11 > 10
                        Source: KMSpico.tmp.0.drStatic PE information: Number of sections : 11 > 10
                        Source: KMSpico.exe, 00000000.00000003.1001850638.0000000003173000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs KMSpico.exe
                        Source: KMSpico.exe, 00000000.00000003.1004253630.000000007EFAF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs KMSpico.exe
                        Source: KMSpico.exe, 00000000.00000000.998556609.0000000000AF9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs KMSpico.exe
                        Source: KMSpico.exe, 00000008.00000003.1286194771.0000000002330000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs KMSpico.exe
                        Source: KMSpico.exe, 00000008.00000003.1290387178.0000000001F88000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs KMSpico.exe
                        Source: KMSpico.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 10.2.core.exe.7210000.13.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                        Source: 10.2.core.exe.7210000.13.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                        Source: 10.2.core.exe.7210000.13.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                        Source: 10.2.core.exe.7210000.13.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                        Source: 10.2.core.exe.5753770.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                        Source: 10.2.core.exe.5753770.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                        Source: 10.2.core.exe.5753770.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 10.2.core.exe.7210000.13.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: 10.2.core.exe.5753770.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 10.2.core.exe.5753770.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 10.2.core.exe.7210000.13.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 10.2.core.exe.5753770.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: 10.2.core.exe.7210000.13.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 10.2.core.exe.7210000.13.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 10.2.core.exe.7210000.13.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                        Source: 10.2.core.exe.7210000.13.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                        Source: 10.2.core.exe.5753770.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                        Source: 10.2.core.exe.5753770.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                        Source: core.exe, 0000000A.00000002.1570402025.000000000198B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: nna.nosciencehu.comtadaoka.osaka.jphayakawa.yamanashi.jpdnsalias.orgedu.saedu.sbedu.rsedu.sclib.id.usogori.fukuoka.jpnotogawa.shiga.jpedu.sdrepbody.aeroid.auedu.ruk12.nj.usloyalist.museumedu.rwedu.sgxyzmoka.tochigi.jpdynathome.netkimino.wakayama.jpedu.slnissanveterinaire.kmkokubunji.tokyo.jpedu.snos.hordaland.notm.kmartsandcrafts.museumis-a-musician.com*.kitakyushu.jpiitate.fukushima.jpedu.stav.iturayasu.chiba.jpedu.svflorida.museumninjaedu.synemuro.hokkaido.jpedu.tjs
                        Source: classification engineClassification label: mal82.phis.troj.spyw.evad.winEXE@82/805@27/6
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,8_2_00409448
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,12_2_004555E4
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,12_2_00455E0C
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0046E13C GetVersion,CoCreateInstance,12_2_0046E13C
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,8_2_00409C34
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpicoJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Roaming\MyAppJump to behavior
                        Source: C:\Program Files\KMSpico\AutoPico.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3244:120:WilError_03
                        Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess7044
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7032:120:WilError_03
                        Source: C:\Users\user\Desktop\KMSpico.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-BO18O.tmpJump to behavior
                        Source: C:\Users\user\Desktop\KMSpico.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\Desktop\KMSpico.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\KMSpico.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                        Source: chrome.exe, 0000001C.00000002.2907602526.00000F9C02214000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
                        Source: chrome.exe, 0000001C.00000002.2907602526.00000F9C02214000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
                        Source: chrome.exe, 0000001C.00000002.2900971039.00000F9C00E38000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
                        Source: chrome.exe, 0000001C.00000002.2901177080.00000F9C00ED4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';
                        Source: KMSpico.exeReversingLabs: Detection: 21%
                        Source: KMSpico.exeVirustotal: Detection: 30%
                        Source: KMSpico.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                        Source: C:\Users\user\Desktop\KMSpico.exeFile read: C:\Users\user\Desktop\KMSpico.exeJump to behavior
                        Source: C:\Program Files\KMSpico\UninsHs.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_16-632
                        Source: unknownProcess created: C:\Users\user\Desktop\KMSpico.exe "C:\Users\user\Desktop\KMSpico.exe"
                        Source: C:\Users\user\Desktop\KMSpico.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp "C:\Users\user~1\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp" /SL5="$103B4,33390065,844800,C:\Users\user\Desktop\KMSpico.exe"
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                        Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                        Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess created: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe "C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe"
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess created: C:\Users\user\AppData\Roaming\MyApp\core.exe "C:\Users\user\AppData\Roaming\MyApp\core.exe"
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmp "C:\Users\user~1\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmp" /SL5="$2044E,2952592,69120,C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe"
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess created: C:\Program Files\KMSpico\UninsHs.exe "C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess created: C:\Program Files\KMSpico\KMSELDI.exe "C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup
                        Source: unknownProcess created: C:\Program Files\KMSpico\AutoPico.exe "C:\Program Files\KMSpico\AutoPico.exe" /silent
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 7044 -ip 7044
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7044 -s 1624
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2356,i,6215369390879059982,17652730807270396997,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2424 /prefetch:3
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\KMSpico.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp "C:\Users\user~1\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmp" /SL5="$103B4,33390065,844800,C:\Users\user\Desktop\KMSpico.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess created: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe "C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess created: C:\Users\user\AppData\Roaming\MyApp\core.exe "C:\Users\user\AppData\Roaming\MyApp\core.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmp "C:\Users\user~1\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmp" /SL5="$2044E,2952592,69120,C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe" Jump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess created: C:\Program Files\KMSpico\UninsHs.exe "C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess created: C:\Program Files\KMSpico\KMSELDI.exe "C:\Program Files\KMSpico\KMSELDI.exe" /silent /backupJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 7044 -ip 7044
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7044 -s 1624
                        Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2356,i,6215369390879059982,17652730807270396997,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2424 /prefetch:3
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                        Source: C:\Users\user\Desktop\KMSpico.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\KMSpico.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: winsta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: explorerframe.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: sfc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: d3d9.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: riched20.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: usp10.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: msls31.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: explorerframe.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: sfc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpSection loaded: cscapi.dllJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: apphelp.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: acgenral.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: uxtheme.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: winmm.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: samcli.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: msacm32.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: version.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: userenv.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: dwmapi.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: urlmon.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: mpr.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: sspicli.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: winmmbase.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: winmmbase.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: iertutil.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: srvcli.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: netutils.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: aclayers.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: sfc.dll
                        Source: C:\Program Files\KMSpico\UninsHs.exeSection loaded: sfc_os.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: mscoree.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: apphelp.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: kernel.appcore.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: version.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: uxtheme.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: windows.storage.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: wldp.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: profapi.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: cryptsp.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: rsaenh.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: cryptbase.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: dwmapi.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: windowscodecs.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: dwrite.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: riched20.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: usp10.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: msls31.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: textshaping.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: wbemcomn.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: mswsock.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: iphlpapi.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: napinsp.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: pnrpnsp.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: wshbth.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: nlaapi.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: dnsapi.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: winrnr.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: rasadhlp.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: textinputframework.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: coreuicomponents.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: coremessaging.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: ntmarta.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: coremessaging.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: wintypes.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: wintypes.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: wintypes.dll
                        Source: C:\Program Files\KMSpico\KMSELDI.exeSection loaded: sxs.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: mscoree.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: apphelp.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: kernel.appcore.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: version.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: windows.storage.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: wldp.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: wbemcomn.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: mswsock.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: profapi.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: cryptsp.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: rsaenh.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: cryptbase.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: iphlpapi.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: dnsapi.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: winnsi.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: amsi.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: userenv.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: rasadhlp.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: fwpuclnt.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: napinsp.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: pnrpnsp.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: wshbth.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: nlaapi.dll
                        Source: C:\Program Files\KMSpico\AutoPico.exeSection loaded: winrnr.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: webio.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ngcsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: authz.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ngcctnrsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ngcctnrgidshandler.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ktmw32.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ngcctnr.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpWindow found: window name: TWizardFormJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: I accept the agreement
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpAutomated click: Next >
                        Source: C:\Program Files\KMSpico\KMSELDI.exeAutomated click: Continue
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpicoJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\certJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\AccessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ExcelJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\GrooveJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPathJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNoteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OutlookJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPointJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlusJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PublisherJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasicsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\StandardJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\VisioJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\WordJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\AccessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ExcelJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\InfoPathJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\LyncJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OneNoteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OutlookJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PowerPointJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlusJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PublisherJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\StandardJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\WordJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\AccessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ExcelJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\MondoJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OneNoteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OutlookJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PowerPointJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProPlusJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PublisherJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusinessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\StandardJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioProJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioStdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\WordJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\CoreJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EducationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseSJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\ProfessionalJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessNJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\EmbeddedJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\ProfessionalJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreNJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguageJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseNJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalNJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMCJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\CoreJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\CoreConnectedSingleLanguageJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustryJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\EnterpriseJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMCJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerDatacenterJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerStandardJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driverJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\iconsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\logsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scriptsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\soundsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\unins000.datJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-L75HR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-IIAU3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-C96NM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-GQU4U.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-6NLBA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-DAA62.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\is-2L4A1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-7L8L1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-H7F0B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-SM9U4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-KH0DC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-IB7SS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-N18QG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-C5UVT.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Access\is-17DH9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-SUSN9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-DSH1H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-QE8I5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-JVVND.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-HG3D0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-OPD17.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-3JPFI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-J4D5I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-7D2QQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-SJN9A.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-69E6V.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-EPS5G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-RHIHF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-TUTDH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-MS2R2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-NRH4U.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-GB0LM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-7QU5K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-UR92J.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-I5SLL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-NHO08.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-2I7DC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-DEU8B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-U39DC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-F75TS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-AGK4H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-7A1B1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-S9A5S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-390FA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-U3AEQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-AA8TE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-NN7SS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-D9C9B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-2HPJV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-3KP69.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-95FK5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-JS2KN.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-6VNVP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-SVQ0B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-FM0HE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-J8NE5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-L8120.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-EPCQC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-1LPUG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-0HV6E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-80JEA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-CR2N2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-1V992.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-11L29.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-5NESI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-AQID8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-CDO2T.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-NA0QE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-7OI8E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-U7E7K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-LHQ1O.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-FBSRM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-TCPHM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-B5Q4U.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-0MQVC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-RHS6P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-21RS3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-HM1NV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-O9CPG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-RGGGE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-6B9FD.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-OPE7E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-RELHT.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-ERG1E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-JC9NB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-T3SE4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-SSTEA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-SVRMG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-NQP3L.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-GAIQO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-M4SOG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-3J50C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-MB784.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-UVNG3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-QS9U6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-57K3S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-KLKSG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-QB64T.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-VP7H5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-PLDPL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-J3HSG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-BG63S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-GEI74.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-98PEH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-RMR7S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-TG0BR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-NPEPS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-55738.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-0PP2D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-JPLFG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-6FO74.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-LDLCH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-A7SJR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-AMJLJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-AVDGL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-V1NJ5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-OVU7T.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-74COT.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-MEVS6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-AVRJR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-GEREB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-3BC85.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-IF0JF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-VSFVB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-T3KQU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-E2D64.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-ICF4A.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-7U9QE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-NSC5D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-PFG9H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-KK70C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-4FATS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-DS29H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-VLHT5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-ENDTG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-OJ7MC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2010\Word\is-RPL72.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-9UVVN.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-811LB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-SID4N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-KNU1N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-GLG40.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-EC65O.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\is-JA6TK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Access\is-JMF18.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Access\is-GMLGO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Access\is-OBJGC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-3I59R.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-VBHHE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-SLN0L.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-GI3R1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-U6365.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-FN421.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-MQ52I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-DC1FF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-35C3A.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OneNote\is-CUO6O.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OneNote\is-9BFP5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\OneNote\is-0PKRD.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-UN261.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-72GNB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-QPSR6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PowerPoint\is-JQIGK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PowerPoint\is-03473.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\PowerPoint\is-DQVFJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-3JTJE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-8Q94R.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-JGJJ7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-OG3F8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-IP50K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-8DFHR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-GOQB5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-KP6Q1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-MPTLH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-4GILB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Publisher\is-NVH3M.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Publisher\is-SLSNM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Publisher\is-8JVOS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-4N3H4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-U055I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-QFVK0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-TS75E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-NS5AT.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-HVUDG.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-AMEUN.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioStd\is-G599V.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioStd\is-E3RCF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\VisioStd\is-DL5C9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Word\is-J1DBH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Word\is-EJB95.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2013\Word\is-6TN3H.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-9J96K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-EEUI9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-NCNPR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-6O61S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-NC5L9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-L95EL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\is-UNL6N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Access\is-FKVT7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Access\is-AM951.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Access\is-H520D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-GKREH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-0EKFB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-37QMK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Mondo\is-KAFBA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Mondo\is-37A42.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Mondo\is-5UPLV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-GMVUP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-JL1N4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-MOUE1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Outlook\is-HLPIS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Outlook\is-IF369.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Outlook\is-AU4FI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PowerPoint\is-9C977.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PowerPoint\is-HJ0BP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\PowerPoint\is-SAP9R.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-QVO4C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-BB4UB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-CEAAF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectStd\is-I37Q7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectStd\is-P0G9B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProjectStd\is-A2BM6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\is-E2HSL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\is-J4AS7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\is-EOHM7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-EQD5G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-N8TK4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-NLR8G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-IVG6N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-MT4MV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-CLE6J.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-99KBS.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-9JCQJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-IOF9E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-84CDR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-7UQ73.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-38JLK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-1E1FJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-O8N7J.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-L9VES.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Word\is-RIPVI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Word\is-5VTG6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscert2016\Word\is-1BHLK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\is-7IBC0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Core\is-TMS44.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Core\is-SA960.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Education\is-RCGTL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Education\is-DJVR6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Enterprise\is-ULRJ2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Enterprise\is-QQ3VO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-GJA9E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-LMVD6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-50T05.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-MGT07.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Professional\is-8216P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW10\Professional\is-GBJ6P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\is-T6634.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-758U4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-FOL7B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-GRH0N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-26RNO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-GGO48.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-1PG0V.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-L017N.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-A5VTP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-UQCHA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-7UJDA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-5D4SI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Business\is-E0FOU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-BEFO3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-9G7A7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-81RJV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-BU1GV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-7J8VB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-MC7PB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-6D9MM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-CB2HL.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-IAJ1O.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-BEJ0G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-GOU1G.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-OBLAO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-7GIE5.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-JAN9E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-G7O55.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-PNFFV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-T7B78.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-F611S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-0QE6C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-3ENP2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-CVN3P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-R38RJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-L8ITU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-AO41Q.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-EEREH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-9F1CA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-DUROI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-VNN9V.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-H0V67.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-OT5DQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-KI6N0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-TEVL8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-9P0TK.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-G75TQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-LO0E1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-GLKBD.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-JDCRF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-JRNU3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-QJA6D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-SRJO7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\is-5HIQH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Core\is-GF2KC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Core\is-B6VSR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-F41BE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-GSS9I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguage\is-TSDAE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguage\is-BSU24.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Enterprise\is-M93OO.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Enterprise\is-LU2B8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseN\is-68DE0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseN\is-EI7QV.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-VP2O0.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-JC3ME.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalN\is-4KKGR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalN\is-POD04.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-0S54S.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-I3QLQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\is-MJU8M.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Core\is-ERFUC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Core\is-RJEV4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\CoreConnectedSingleLanguage\is-S2J84.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\CoreConnectedSingleLanguage\is-4FUFA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustry\is-0TBMF.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustry\is-N0VAH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Enterprise\is-JE105.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Enterprise\is-BFF2E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Professional\is-LLPT4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\Professional\is-A8EER.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMC\is-7OL4K.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMC\is-TDU3R.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerDatacenter\is-I7OR4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerDatacenter\is-1PBNP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerStandard\is-EJKGA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\cert\kmscertW81\ServerStandard\is-HJRP8.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-SRHD6.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-EHRL3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-CTDHU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-A08CE.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\driver\is-5DT42.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\icons\is-MALQI.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\icons\is-6TEC9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\icons\is-OJ2B4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\icons\is-E4C4I.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\logs\is-4S2VU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\logs\is-JSQM3.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\logs\is-O8K73.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-LMB7B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-5BR0U.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-RC1Q2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-KM2M2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-CR9P7.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-JK2TA.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-95KN1.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-4MQHQ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-8DVQU.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-SJAOR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-DTRVM.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\scripts\is-2QUO2.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-9KK17.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-DLBR9.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-9FDQP.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-N6MAJ.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-TU1KR.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-Q56GB.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-4L433.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-EIQF4.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-03UIH.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-6O07P.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-80I7B.tmpJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDirectory created: C:\Program Files\KMSpico\sounds\is-1U4FD.tmpJump to behavior
                        Source: C:\Program Files\KMSpico\KMSELDI.exeDirectory created: C:\Program Files\KMSpico\logs\KMSELDI.log
                        Source: C:\Program Files\KMSpico\AutoPico.exeDirectory created: C:\Program Files\KMSpico\logs\AutoPico.log
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1Jump to behavior
                        Source: KMSpico.exeStatic file information: File size 34357573 > 1048576
                        Source: KMSpico.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: System.Windows.Forms.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B343000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B343000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\System.pdb source: AutoPico.exe, 00000015.00000002.1654858797.0000000019E31000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Windows.Forms.pdbt source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B343000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dlls.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B3C2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: core.exe, 0000000A.00000002.1604419678.0000000007210000.00000004.08000000.00040000.00000000.sdmp, core.exe, 0000000A.00000002.1599992271.00000000057A3000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1599992271.000000000572B000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: lib.pdb source: KMSELDI.exe, 00000014.00000002.2888927032.000000001D271000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: c:\divert-master\install\WDDK\i386\WinDivert.pdb source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdlle source: AutoPico.exe, 00000015.00000002.1651589363.00000000006AE000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: core.exe, 0000000A.00000002.1604419678.0000000007210000.00000004.08000000.00040000.00000000.sdmp, core.exe, 0000000A.00000002.1599992271.00000000057A3000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1599992271.000000000572B000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: c:\divert-master\install\WDDK\amd64\WinDivert.pdbH source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmp
                        Source: Binary string: pC:\Program Files\KMSpico\AutoPico.PDB@ source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: protobuf-net.pdbSHA256}Lq source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: OindoC:\Windows\System.pdb source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: C:\Program Files\KMSpico\AutoPico.PDBp; source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B3C2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: AutoPico.PDB source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: protobuf-net.pdb source: core.exe, 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, core.exe, 0000000A.00000002.1604187455.0000000007060000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: c:\Users\dblock\Source\CodePlex\resourcelib\trunk\Source\ResourceLib\obj\Release\Vestris.ResourceLib.pdb source: KMSpico.tmp, 0000000C.00000002.2872839221.000000000674F000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: m.pdb source: KMSELDI.exe, 00000014.00000002.2879607649.000000001B3C2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Program Files\KMSpico\AutoPico.PDB source: AutoPico.exe, 00000015.00000002.1651477320.00000000004F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: c:\divert-master\install\WDDK\amd64\WinDivert.pdb source: KMSpico.tmp, 0000000C.00000002.2872839221.0000000006160000.00000004.00001000.00020000.00000000.sdmp, KMSpico.tmp, 0000000C.00000002.2872839221.0000000006766000.00000004.00001000.00020000.00000000.sdmp, KMSELDI.exe, 00000014.00000000.1540774715.0000000000012000.00000002.00000001.01000000.00000011.sdmp, AutoPico.exe, 00000015.00000000.1544048779.00000000000C8000.00000002.00000001.01000000.00000012.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: 10.2.core.exe.7210000.13.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 10.2.core.exe.7210000.13.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 10.2.core.exe.7210000.13.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                        Source: 10.2.core.exe.7060000.12.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                        Source: 10.2.core.exe.7060000.12.raw.unpack, ListDecorator.cs.Net Code: Read
                        Source: 10.2.core.exe.7060000.12.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                        Source: 10.2.core.exe.7060000.12.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                        Source: 10.2.core.exe.7060000.12.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                        Source: 10.2.core.exe.53664c8.1.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                        Source: 10.2.core.exe.53664c8.1.raw.unpack, ListDecorator.cs.Net Code: Read
                        Source: 10.2.core.exe.53664c8.1.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                        Source: 10.2.core.exe.53664c8.1.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                        Source: 10.2.core.exe.53664c8.1.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                        Source: 10.2.core.exe.5753770.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 10.2.core.exe.5753770.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 10.2.core.exe.5753770.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                        Yara detected Costura Assembly Loader
                        Source: Yara matchFile source: 10.2.core.exe.6fd0000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.core.exe.6fd0000.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.core.exe.562bf64.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.core.exe.562bf64.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000A.00000002.1599992271.000000000526A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1604119169.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1573432475.00000000042DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1599992271.0000000005591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: core.exe PID: 2368, type: MEMORYSTR
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_004502C0
                        Source: KMSpico.exeStatic PE information: section name: .didata
                        Source: KMSpico.tmp.0.drStatic PE information: section name: .didata
                        Source: is-I4K1U.tmp.1.drStatic PE information: section name: .didata
                        Source: is-14TN5.tmp.1.drStatic PE information: section name: .qtmetad
                        Source: is-14TN5.tmp.1.drStatic PE information: section name: _RDATA
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_004065C8 push 00406605h; ret 8_2_004065FD
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_004040B5 push eax; ret 8_2_004040F1
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00408104 push ecx; mov dword ptr [esp], eax8_2_00408109
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00404185 push 00404391h; ret 8_2_00404389
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00404206 push 00404391h; ret 8_2_00404389
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_0040C218 push eax; ret 8_2_0040C219
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_004042E8 push 00404391h; ret 8_2_00404389
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00404283 push 00404391h; ret 8_2_00404389
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00408F38 push 00408F6Bh; ret 8_2_00408F63
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_038F30F3 push 2F672291h; retf 10_2_038F313A
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00484364 push 00484472h; ret 12_2_0048446A
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0040994C push 00409989h; ret 12_2_00409981
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004062B4 push ecx; mov dword ptr [esp], eax12_2_004062B5
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004104E0 push ecx; mov dword ptr [esp], edx12_2_004104E5
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00412928 push 0041298Bh; ret 12_2_00412983
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0049AD30 pushad ; retf 12_2_0049AD3F
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0040CE38 push ecx; mov dword ptr [esp], edx12_2_0040CE3A
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004951EC push ecx; mov dword ptr [esp], ecx12_2_004951F1
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004592D0 push 00459314h; ret 12_2_0045930C
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0040F398 push ecx; mov dword ptr [esp], edx12_2_0040F39A
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00443440 push ecx; mov dword ptr [esp], ecx12_2_00443444
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0040546D push eax; ret 12_2_004054A9
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0040553D push 00405749h; ret 12_2_00405741
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004055BE push 00405749h; ret 12_2_00405741
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0040563B push 00405749h; ret 12_2_00405741
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004056A0 push 00405749h; ret 12_2_00405741
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004517F8 push 0045182Bh; ret 12_2_00451823
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004519BC push ecx; mov dword ptr [esp], eax12_2_004519C1
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00485A54 push ecx; mov dword ptr [esp], ecx12_2_00485A59
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00419C28 push ecx; mov dword ptr [esp], ecx12_2_00419C2D
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0045FD1C push ecx; mov dword ptr [esp], ecx12_2_0045FD20
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Roaming\MyApp\core.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Roaming\MyApp\is-I4K1U.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\is-L75HR.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\Vestris.ResourceLib.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Windows\System32\is-N17B1.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\KMSELDI.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\is-2L4A1.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\UninsHs.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Local\Temp\is-AQBS1.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\driver\tap-windows-9.21.0.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Roaming\MyApp\data\is-LB333.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeFile created: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Windows\system32\Vestris.ResourceLib.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\unins000.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Roaming\MyApp\is-14TN5.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\is-IIAU3.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Local\Temp\is-AQBS1.tmp\_isetup\_shfoldr.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\driver\is-A08CE.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\is-6NLBA.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\AutoPico.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SCJT5.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\is-GQU4U.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\is-C96NM.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpFile created: C:\Users\user\AppData\Roaming\MyApp\unins000.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\is-DAA62.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Program Files\KMSpico\Service_KMS.exe (copy)Jump to dropped file
                        Source: C:\Users\user\Desktop\KMSpico.exeFile created: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Windows\System32\is-95P9D.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Windows\system32\Vestris.ResourceLib.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Windows\System32\is-N17B1.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Windows\System32\is-95P9D.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\Users\user~1\AppData\Local\Temp\Setup Log 2025-03-07 #001.txtJump to behavior

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpicoJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnkJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\Log KMSpico.lnkJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnkJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\Uninstall KMSpico.lnkJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,12_2_0042285C
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,12_2_00423C0C
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,12_2_00423C0C
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004241DC IsIconic,SetActiveWindow,SetFocus,12_2_004241DC
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00424194 IsIconic,SetActiveWindow,12_2_00424194
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,12_2_00418384
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00417598 IsIconic,GetCapture,12_2_00417598
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00417CCE IsIconic,SetWindowPos,12_2_00417CCE
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,12_2_00417CD0
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00483D18 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,12_2_00483D18
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,12_2_0041F118
                        Source: C:\Users\user\Desktop\KMSpico.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\KMSpico.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\KMSELDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: core.exe PID: 2368, type: MEMORYSTR
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: core.exe, 0000000A.00000002.1573432475.00000000042DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeMemory allocated: 3E20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeMemory allocated: 4260000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeMemory allocated: 40C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files\KMSpico\KMSELDI.exeMemory allocated: 620000 memory reserve | memory write watch
                        Source: C:\Program Files\KMSpico\KMSELDI.exeMemory allocated: 1A6E0000 memory reserve | memory write watch
                        Source: C:\Program Files\KMSpico\AutoPico.exeMemory allocated: E20000 memory reserve | memory write watch
                        Source: C:\Program Files\KMSpico\AutoPico.exeMemory allocated: 19010000 memory reserve | memory write watch
                        Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                        Source: C:\Program Files\KMSpico\UninsHs.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_16-805
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Windows\system32\Vestris.ResourceLib.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\MyApp\is-I4K1U.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\Vestris.ResourceLib.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\unins000.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\is-L75HR.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AQBS1.tmp\_isetup\_shfoldr.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\driver\is-A08CE.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Windows\System32\is-N17B1.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SCJT5.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\is-GQU4U.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\is-C96NM.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\MyApp\unins000.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\is-DAA62.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AQBS1.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\Service_KMS.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Program Files\KMSpico\driver\tap-windows-9.21.0.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpDropped PE file which has not been started: C:\Windows\System32\is-95P9D.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_8-5967
                        Source: C:\Program Files\KMSpico\UninsHs.exeAPI coverage: 5.3 %
                        Source: C:\Windows\System32\svchost.exe TID: 6404Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2740Thread sleep time: -60000s >= -30000s
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00452A60 FindFirstFileA,GetLastError,12_2_00452A60
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0047531C FindFirstFileA,FindNextFileA,FindClose,12_2_0047531C
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,12_2_00464158
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004985E4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,12_2_004985E4
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00462750 FindFirstFileA,FindNextFileA,FindClose,12_2_00462750
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,12_2_00463CDC
                        Source: C:\Program Files\KMSpico\UninsHs.exeCode function: 16_2_00401C98 FindFirstFileA,MessageBoxA,RtlZeroMemory,7558D0A0,16_2_00401C98
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,8_2_00409B78
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010E8000.00000004.00000800.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                        Source: KMSpico.tmp, 00000001.00000003.1335621562.0000000000A0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
                        Source: MSBuild.exe, 00000016.00000002.2866573001.000000000154C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@*Y
                        Source: chrome.exe, 0000001C.00000002.2904035399.00000F9C01604000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FF0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FF0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010E8000.00000004.00000800.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FF0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
                        Source: svchost.exe, 00000007.00000002.2865788352.000001A9C124B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FF0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisorr
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010E8000.00000004.00000800.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                        Source: svchost.exe, 00000002.00000002.2870821700.0000021D73229000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2876905697.0000021D7885E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2871001767.000001F7306CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FF0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTckVMWare
                        Source: svchost.exe, 00000007.00000002.2866155356.000001A9C1264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
                        Source: core.exe, 0000000A.00000002.1573432475.00000000042DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FF0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid PartitionW
                        Source: svchost.exe, 00000007.00000002.2866155356.000001A9C1264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: svchost.exe, 00000007.00000002.2867161283.000001A9C1302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FEFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor>
                        Source: svchost.exe, 0000001B.00000002.2869127682.000001F73062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: KMSELDI.exe, 00000014.00000002.2888927032.000000001D271000.00000004.00000020.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1651589363.00000000006AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: chrome.exe, 0000001C.00000002.2901043215.00000F9C00E5C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=f0b1888a-b806-477a-a23f-b771593e0db2
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FF0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
                        Source: svchost.exe, 00000007.00000002.2866155356.000001A9C1264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010E8000.00000004.00000800.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                        Source: chrome.exe, 0000001C.00000003.1711481783.000002C43FFBF000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000001C.00000003.1711376461.000002C43FF77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Co
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FF0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration ServiceU
                        Source: svchost.exe, 0000001B.00000002.2869604111.000001F73065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EVMWare
                        Source: chrome.exe, 0000001C.00000002.2886212117.000002C43FF0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorll
                        Source: core.exe, 0000000A.00000002.1573432475.00000000042DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                        Source: chrome.exe, 0000001C.00000003.2351385436.00000F9C003B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware20,1
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010E8000.00000004.00000800.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                        Source: svchost.exe, 00000007.00000002.2866155356.000001A9C1264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: svchost.exe, 00000007.00000002.2864157472.000001A9C1200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                        Source: svchost.exe, 00000007.00000002.2866925162.000001A9C1292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010E8000.00000004.00000800.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010E8000.00000004.00000800.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                        Source: KMSpico.tmp, 00000001.00000002.1338872568.0000000000A0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yB
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010E8000.00000004.00000800.00020000.00000000.sdmp, AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                        Source: MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW=
                        Source: chrome.exe, 0000001C.00000003.1715453882.000002C43FF45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
                        Source: AutoPico.exe, 00000015.00000002.1654858797.0000000019E31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: to-Discovery ServiceWinHttpAutoProxySvcMicrosoft Defender Antivirus ServiceWinDefendStill Image Acquisition EventsWiaRpcWi-Fi Direct Services Connection Manager ServiceWFDSConMgrSvcWindows Error Reporting ServiceWerSvcProblem Reports Control Panel SupportwercplsupportWindows Encryption Provider Host ServiceWEPHOSTSVCWindows Event CollectorWecsvcWebClientWebClientMicrosoft Defender Antivirus Network Inspection ServiceWdNisSvcDiagnostic System HostWdiSystemHostDiagnostic Service HostWdiServiceHostWindows Connect Now - Config RegistrarwcncsvcWindows Connection ManagerWcmsvcWindows Biometric ServiceWbioSrvcBlock Level Backup Engine ServicewbengineWarpJITSvcWarpJITSvcWalletServiceWalletServiceWindows TimeW32TimeVolume Shadow CopyVSSHyper-V Volume Shadow Copy RequestorvmicvssHyper-V PowerShell Direct ServicevmicvmsessionHyper-V Time Synchronization ServicevmictimesyncHyper-V Guest Shutdown ServicevmicshutdownHyper-V Remote Desktop Virtualization ServicevmicrdvHyper-V Data Exchange ServicevmickvpexchangeHyper-V Heartbeat ServicevmicheartbeatHyper-V Guest Service InterfacevmicguestinterfaceVirtual DiskvdsCredential ManagerVaultSvcVolumetric Audio Compositor ServiceVacSvcUpdate Orchestrator ServiceUsoSvcUser ManagerUserManagerUPnP Device HostupnphostRemote Desktop Services UserMode Port RedirectorUmRdpServiceUser Experience Virtualization ServiceUevAgentServiceAuto Time Zone UpdatertzautoupdateWindows Modules InstallerTrustedInstallerRecommended Troubleshooting ServiceTroubleshootingSvcDistributed Link Trackin1
                        Source: core.exe, 0000000A.00000000.1322499665.0000000001BE6000.00000008.00000001.01000000.0000000D.sdmp, core.exe, 0000000A.00000002.1571153614.0000000001BFB000.00000008.00000001.01000000.0000000D.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
                        Source: AutoPico.exe, 00000015.00000002.1653298013.00000000010AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeAPI call chain: ExitProcess graph end nodegraph_8-6764
                        Source: C:\Program Files\KMSpico\UninsHs.exeAPI call chain: ExitProcess graph end nodegraph_16-727
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess queried: DebugPort
                        Source: C:\Program Files\KMSpico\AutoPico.exeProcess queried: DebugPort
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0044B8C0 LdrInitializeThunk,22_2_0044B8C0
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_004502C0
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_038F0481 mov edx, dword ptr fs:[00000030h]10_2_038F0481
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_038F0A41 mov eax, dword ptr fs:[00000030h]10_2_038F0A41
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_038F1091 mov eax, dword ptr fs:[00000030h]10_2_038F1091
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_038F1090 mov eax, dword ptr fs:[00000030h]10_2_038F1090
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_038F0DF1 mov eax, dword ptr fs:[00000030h]10_2_038F0DF1
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeCode function: 10_2_038F1A7F mov eax, dword ptr fs:[00000030h]10_2_038F1A7F
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_00478898 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,12_2_00478898
                        Source: C:\Users\user\AppData\Local\Temp\is-BO18O.tmp\KMSpico.tmpProcess created: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe "C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 7044 -ip 7044
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7044 -s 1624
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,12_2_0042E09C
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: GetLocaleInfoA,8_2_0040520C
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: GetLocaleInfoA,8_2_00405258
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: GetLocaleInfoA,12_2_00408568
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: GetLocaleInfoA,12_2_004085B4
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Program Files\KMSpico\KMSELDI.exeQueries volume information: C:\Program Files\KMSpico\KMSELDI.exe VolumeInformation
                        Source: C:\Program Files\KMSpico\KMSELDI.exeQueries volume information: C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll VolumeInformation
                        Source: C:\Program Files\KMSpico\KMSELDI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Program Files\KMSpico\KMSELDI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                        Source: C:\Program Files\KMSpico\AutoPico.exeQueries volume information: C:\Program Files\KMSpico\AutoPico.exe VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,12_2_004585C8
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_004026C4 GetSystemTime,8_2_004026C4
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpCode function: 12_2_0045559C GetUserNameA,12_2_0045559C
                        Source: C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exeCode function: 8_2_00405CF4 GetVersionExA,8_2_00405CF4
                        Source: C:\Users\user\AppData\Roaming\MyApp\core.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Changes security center settings (notifications, updates, antivirus, firewall)
                        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
                        Disables the Smart Screen filter
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System EnableSmartScreenJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-PE1VH.tmp\KMSpico.tmpRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SmartScreenEnabled OffJump to behavior
                        Source: svchost.exe, 00000009.00000002.2870927778.0000026B97102000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                        Source: svchost.exe, 00000009.00000002.2870927778.0000026B97102000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected LummaC Stealer
                        Source: Yara matchFile source: 22.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000016.00000002.2863240024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                        Source: MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                        Source: MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
                        Source: MSBuild.exe, 00000016.00000002.2868287826.000000000157B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                        Source: MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                        Source: MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                        Source: MSBuild.exe, 00000016.00000002.2868287826.000000000157B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                        Source: MSBuild.exe, 00000016.00000002.2868508738.00000000015D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                        Source: core.exe, 0000000A.00000002.1603229813.0000000006BB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                        Source: MSBuild.exe, 00000016.00000002.2868508738.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                        Source: Yara matchFile source: 00000016.00000002.2868508738.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6652, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Attempt to bypass Chrome Application-Bound Encryption
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223
                        Yara detected LummaC Stealer
                        Source: Yara matchFile source: 22.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000016.00000002.2863240024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1599992271.000000000586A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Exploitation for Privilege Escalation                        		21
                        Disable or Modify Tools                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		4
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts21
                        Native API                        		1
                        Create Account                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory1
                        Account Discovery                        		Remote Desktop Protocol1
                        Browser Session Hijacking                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts3
                        Command and Scripting Interpreter                        		2
                        Windows Service                        		1
                        Access Token Manipulation                        		3
                        Obfuscated Files or Information                        		Security Account Manager2
                        File and Directory Discovery                        		SMB/Windows Admin Shares3
                        Data from Local System                        		1
                        Remote Access Software                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts11
                        Scheduled Task/Job                        		11
                        Scheduled Task/Job                        		2
                        Windows Service                        		1
                        Software Packing                        		NTDS47
                        System Information Discovery                        		Distributed Component Object Model1
                        Screen Capture                        		4
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts1
                        Service Execution                        		1
                        Registry Run Keys / Startup Folder                        		12
                        Process Injection                        		1
                        DLL Side-Loading                        		LSA Secrets251
                        Security Software Discovery                        		SSH2
                        Clipboard Data                        		15
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                        Scheduled Task/Job                        		1
                        File Deletion                        		Cached Domain Credentials5
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                        Registry Run Keys / Startup Folder                        		23
                        Masquerading                        		DCSync1
                        Process Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job5
                        Virtualization/Sandbox Evasion                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        Access Token Manipulation                        		/etc/passwd and /etc/shadow3
                        System Owner/User Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                        Process Injection                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632207 Sample: KMSpico.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 82 93 agriework.life 2->93 95 t.me 2->95 97 6 other IPs or domains 2->97 115 Suricata IDS alerts for network traffic 2->115 117 Found malware configuration 2->117 119 Antivirus detection for URL or domain 2->119 121 10 other signatures 2->121 11 KMSpico.exe 2 2->11         started        14 svchost.exe 2->14         started        17 AutoPico.exe 2->17         started        20 10 other processes 2->20 signatures3 process4 dnsIp5 85 C:\Users\user\AppData\Local\...\KMSpico.tmp, PE32 11->85 dropped 22 KMSpico.tmp 24 10 11->22         started        133 Changes security center settings (notifications, updates, antivirus, firewall) 14->133 25 MpCmdRun.exe 14->25         started        89 8.8.8.8 GOOGLEUS United States 17->89 27 WerFault.exe 17->27         started        91 127.0.0.1 unknown unknown 20->91 29 WerFault.exe 20->29         started        file6 signatures7 process8 file9 69 C:\Users\user\AppData\...\unins000.exe (copy), PE32 22->69 dropped 71 C:\Users\user\AppData\...\is-I4K1U.tmp, PE32 22->71 dropped 73 C:\Users\user\AppData\...\is-14TN5.tmp, PE32 22->73 dropped 75 4 other malicious files 22->75 dropped 31 KMSpico.exe 2 22->31         started        34 core.exe 2 22->34         started        37 conhost.exe 25->37         started        process10 file11 87 C:\Users\user\AppData\Local\...\KMSpico.tmp, PE32 31->87 dropped 39 KMSpico.tmp 22 487 31->39         started        111 Found many strings related to Crypto-Wallets (likely being stolen) 34->111 113 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->113 43 MSBuild.exe 34->43         started        signatures12 process13 dnsIp14 77 C:\Windows\...\Vestris.ResourceLib.dll (copy), PE32 39->77 dropped 79 C:\Windows\System32\is-N17B1.tmp, PE32 39->79 dropped 81 C:\Windows\System32\is-95P9D.tmp, PE32 39->81 dropped 83 18 other malicious files 39->83 dropped 123 Disables the Smart Screen filter 39->123 46 cmd.exe 1 39->46         started        49 cmd.exe 39->49         started        51 UninsHs.exe 39->51         started        53 KMSELDI.exe 39->53         started        107 agriework.life 104.21.32.1, 443, 49690, 49692 CLOUDFLARENETUS United States 43->107 109 t.me 149.154.167.99, 443, 49689 TELEGRAMRU United Kingdom 43->109 125 Attempt to bypass Chrome Application-Bound Encryption 43->125 127 Found many strings related to Crypto-Wallets (likely being stolen) 43->127 129 Tries to harvest and steal browser information (history, passwords, etc) 43->129 131 Tries to steal Crypto Currency Wallets 43->131 55 chrome.exe 43->55         started        file15 signatures16 process17 dnsIp18 135 Uses schtasks.exe or at.exe to add and modify task schedules 46->135 58 conhost.exe 46->58         started        60 sc.exe 46->60         started        62 conhost.exe 49->62         started        64 schtasks.exe 49->64         started        105 192.168.2.7, 138, 443, 49681 unknown unknown 55->105 66 chrome.exe 55->66         started        signatures19 process20 dnsIp21 99 www.google.com 172.217.16.196, 443, 49698, 49701 GOOGLEUS United States 66->99 101 plus.l.google.com 66->101 103 5 other IPs or domains 66->103

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.