Windows Analysis Report
nsis-installer.exe

Overview

General Information

Sample name:	nsis-installer.exe
Analysis ID:	1427113
MD5:	85aea19a596f59d0dbf368f99be6a139
SHA1:	9fd84c0780b6555cdeed499b30e5d67071998fbc
SHA256:	7a95214e7077d7324c0e8dc7d20f2a4e625bc0ac7e14b1446e37c47dff7eeb5b
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Loading BitLocker PowerShell Module

Opens the same file many times (likely Sandbox evasion)

Tries to steal communication platform credentials (via file / registry access)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Console CodePage Lookup Via CHCP

Sigma detected: Startup Folder File Write

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nsis-installer.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\496db3a3-1a7f-4f1b-9fcf-efdaeed463f0.tmp.node	Virustotal: Detection: 7%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\8643e452-b938-4f7e-b6f6-6c79c3287391.tmp.node	Virustotal: Detection: 8%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\a5cccf86-07fd-48a4-a9cf-7cd44af85556.tmp.node	Virustotal: Detection: 7%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\e10a37c2-8429-4258-9cd3-d725395e8215.tmp.node	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for submitted file

Source: nsis-installer.exe	ReversingLabs: Detection: 37%
Source: nsis-installer.exe	Virustotal: Detection: 30%			Perma Link

Uses 32bit PE files

Source: nsis-installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\nsis-installer.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cfbc383d-9aa0-5771-9485-7b806e8442d5

Jump to behavior

Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\LICENSE.electron.txt			Jump to behavior

Source: nsis-installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: BCC = $(NCC) -nologo -W3 -Fd$*.pdb $(CCOPTS) $(BCCOPTS) source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: nsis-installer.exe, 00000000.00000003.2342229721.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: del /Q .exp .lo .ilk .lib .obj .ncb .pdb .sdf *.suo 2>NUL source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: LTCOMPILE = $(TCC) -Fo$@ -Fd$*.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: CLEANFILES="$CLEANFILES .lib .dll .pdb .exp" source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\STATEMENT.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\STATEMENT.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /OUT:"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.NODE" /INCREMENTAL:NO /NOLOGO KERNEL32.LIB USER32.LIB GDI32.LIB WINSPOOL.LIB COMDLG32.LIB ADVAPI32.LIB SHELL32.LIB OLE32.LIB OLEAUT32.LIB UUID.LIB ODBC32.LIB DELAYIMP.LIB "C:\\USERS\\ADMINISTRATOR\\.ELECTRON-GYP\\24.1.1\\IA32\\NODE.LIB" DELAYIMP.LIB /DELAYLOAD:NODE.EXE /MANIFEST /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.PDB" /OPT:REF /OPT:ICF /TLBID:1 /DYNAMICBASE /NXCOMPAT /MACHINE:X86 /SAFESEH /LTCG:INCREMENTAL /ignore:4199 /DLL RELEASE\OBJ\NODE_SQLITE3\WIN_DELAY_LOAD_HOOK.OBJ source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBCMT.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2265396042.00000000050CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| *.dSYM ) ;; source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -typedil-fC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\node-gyp\src\win_delay_load_hook.cc-Gs4096-dos-Zi-Z7-W3-pdbrpc-Og-Ob2-Ot-EHs-MT-GS-Gy-FitObjFunc-FitObjData-NoRTTI-FoC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\deps\Release\obj\sqlite3\win_delay_load_hook.obj-FdC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb-errorreport:queue source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\NODE_SQLITE3.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\NODE_SQLITE3.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBCPMT.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -FdC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb`)p) source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-GYP\SRC\WIN_DELAY_LOAD_HOOK.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SQLITE3EXEPDB = /pdb:sqlite3sh.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBVCRUNTIME.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** rbu_file.pDb!=0, then it is assumed to already be present on the source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BCC = $(NCC) -nologo -W4 -Fd$*.pdb $(CCOPTS) $(BCCOPTS) source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: nsis-installer.exe, 00000000.00000003.2336434743.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| .dSYM \| .o \| *.obj ) ;; source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| .dSYM \| .o \| *.obj ) source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\BACKUP.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\BACKUP.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** for all file descriptors with rbu_file.pDb!=0. If the argument has source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** rbu_file.pDb!=0. source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\DATABASE.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\DATABASE.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\vulkan-1.dll.pdb source: nsis-installer.exe, 00000000.00000003.2256512300.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2338261653.0000000004E41000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2256207119.0000000002E60000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Jump to behavior

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 172.64.41.3 172.64.41.3

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: V8.MemoryHeapUsedV8.MemoryHeapCommittedmail.google.com.gmaildrive.google.com.docsplus.google.com.plus.inbox.calendarwww.youtube.com.youtube.top10sina.com.cnfacebook.combaidu.comtwitter.comtaobao.comwikipedia equals www.youtube.com (Youtube)
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1085
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1452
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1452expandIntegerPowExpressionsThe
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1512
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1637
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1936
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2046
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2152
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2152skipVSConstantRegisterZeroIn
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2273
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2894
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2978
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3027
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3045
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3246
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3246allowClearForRobustResourceInitSome
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3682
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3682allowES3OnFL100Allow
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3729
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3997
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4214
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4267
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4646
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/482
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007disableDrawBuffersIndexedDisable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5469
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5577
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658forceGlErrorCheckingForce
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750forceRobustResourceInitForce-enable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041forceInitShaderVariablesForce-enable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036dumpShaderSourceWrite
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279cacheCompiledShaderEnable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7527
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724disableAnisotropicFilteringDisable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760enableShaderSubstitutionCheck
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761Frontend
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://blog.izs.me)
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://blog.izs.me/)
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository100.
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cgit.freedesktop.org/xorg/xserver/tree/COPYING
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cldr.unicode.org/index/downloads
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/smhasher/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/v8
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1094869
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/110263
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1144207
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1165751
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1165751disableProgramBinaryDisable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1171371
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1181068
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1181193
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/308366
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/403957
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/550292
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/565179
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/642227
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/642605
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/644669
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/650547
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/672380
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/709351
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/797243
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/809422
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/830046
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/849576
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/883276
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/927470
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/941620
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThere
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gds1-20
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://devel.freebsoft.org/speechd
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://developer.android.com/tools/extras/support-library.html
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/common
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/commonnode-set..
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedorahosted.org/lohit>
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fossil-scm.org).
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedesktop.org
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://git.linuxtv.org/v4l-utils.git
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.github.io/snappy/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icl.com/saxon
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icl.com/saxonorg.apache.xalan.xslt.extensions.RedirectxsltDocumentElem:
Source: nsis-installer.exe, 00000000.00000003.2342229721.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://int3.de/
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://istanbul-js.org/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://labs.creativecommons.org/licenses/zero-waive/1.0/us/legalcode>
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://localhosthttp://127.0.0.1object-src
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mxr.mozilla.org/comm-central/source/mozilla/netwerk/base/src/nsURLParsers.cpp
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://n8.io/)
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://narwhaljs.org)
Source: nsis-installer.exe, 00000000.00000002.2380954483.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nsis-installer.exe, 00000000.00000000.2130486279.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0J
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://re-becca.org)
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://re-becca.org/)
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s..
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFL
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://source.android.com/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://source.android.com/compatibility)
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/xz/COPYING
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tukaani.org/xz/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://valgrind.org
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://web.archive.org/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://webkit.org/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wpad/wpad.dat
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wpad/wpad.dat..
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chromium.org
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fossil-scm.org/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freedesktop.org/wiki/Software/xdg-user-dirs
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.futurealoof.com)
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gutenberg.org/ebooks/53).
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.icu-project.org/userguide/posix.html#case_mappings
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jclark.com/xt
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.linux-usb.org/usb-ids.html
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nongnu.org/freebangfont/downloads.html#mukti
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ploscompbiol.org/static/license
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.software-architect.net/blog/article/date/2015/06/12/-826c6e5052.html
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/compile.html).
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/src/info/6709574d2a
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/src/info/f2369304e4
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/tclsqlite.html
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.strongtalk.org/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suitable.com
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suitable.com/tools/smslib.html
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suitable.com/tools/smslib.html>
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org
Source: nsis-installer.exe, 00000000.00000003.2185816773.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.webrtc.org
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/namespace
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/namespacehttp://www.jclark.com/xtxsl:key
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/xsltNewExtDef
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zlib.net/
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4674
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4849
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5140
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5536
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246enableCaptureLimitsSet
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7405
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/uploadhttps://beacons.gvt2.com/domainreliability/uplo
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3rpDuEX.
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3rpDuEX.WebBundleURLLoaderFactory::OnResponseParsedInvalid
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.htmlMixed
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.fuchsia.dev/p/fuchsia/issues/detail?id=107106
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.android.clients.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.bigcache.googleapis.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.doc-0-0-sj.sj.googleusercontent.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.docs.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.drive.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.googlesyndication.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.pack.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.play.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.youtube.com/
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://chrome-devtools-frontend.appspot.com/
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC
Source: nsis-installer.exe, 00000000.00000003.2342167557.0000000004E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: nsis-installer.exe, 00000000.00000003.2342167557.0000000004E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/feature/5105856067141632.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/feature/5463833265045504.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/feature/5463833265045504.Found
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/angle/angle/
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/chromium/src/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/vulkan-deps/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/webm/libwebm
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/webm/libwebp
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1038223.
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1042393
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1046462
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1060012
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1091824
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1137851
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1154140
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1300575
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1356053
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1412729
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593024
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593024selectViewInGeometryShaderThe
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/619103.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/619103.Subsequence
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/650547
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/650547callClearTwiceUsing
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/655534
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/655534useSystemMemoryForConstantBuffersCopying
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/705865
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/710443
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/811661
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/848952
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/927119
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/927119..
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/981419
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/v8/7848
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by/3.0/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-handling.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dejavu-fonts.github.io/Download.html
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/blog/enabling-shared-array-buffer/
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/blog/immutable-document-domain/
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/cross-origin-isolation/.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developers.google.com/android/guides/setup
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developers.google.com/web/updates/2016/08/removing-document-write
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://elinux.org/RPI_vcgencmd_usage
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://elinux.org/RPi_HardwareHistory
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-flush
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gcp.gvt2.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gcp.gvt6.com/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Buzut)
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Cyan4973/xxHash
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/GoogleChromeLabs/text-fragments-polyfill
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Cross
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers.git
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools.git
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/Vulkan-Headers
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/Vulkan-Loader
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Squirrel/Squirrel.Mac
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/TooTallNate/util-deprecate
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.border-boxcontent-bo
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/shared-element-transitions/blob/main/debugging_overflow_on_images.md.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/view-transitions/blob/main/debugging_overflow_on_images.md
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aawc/unrar.git
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/supports-color
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/csy1983)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/electron/electron/issues/18397.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/electron/electron/issues/18397.Module
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/glegrain)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/diff-match-patch/tree/master/javascript
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/distributed_point_functions
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/google-api-cpp-client/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/ruy
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/ukey2
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/woff2
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/wuffs-mirror-release-c
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/xnnpack
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/heycam/webidl/pull/946.
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iarna/unique-filename
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iarna/unique-filename.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iarna/wide-align
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/color-support.
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/minipass.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/node-tar.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/yallist.git
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lapsio)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-fs
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-fs.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-stream
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-stream.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mikeal/tunnel-agent
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13581
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35452
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39707
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/45699
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/32887
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35941
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/43714
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/44952
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46161
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/string_decoder
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-semver.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-tar/blob/51b6627a1f357d2eb433e7378e5f05e83b7aa6cd/lib/header.js#L349
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-tar/issues/183
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-tar/pull/187
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/ssri
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/wrappy
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/richy24)
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sebhildebrandt/systeminformation.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/sindresorhus
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/models
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/tensorflow
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/text.git
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/tflite-support
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/ServiceWorker/issues/1356.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/ServiceWorker/issues/1356.v8.produceCachev8.produceModuleCacheV8.ProduceCodeC
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/gamepad/pull/120
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/gamepad/pull/120Access
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-features
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-featuresDeviceOri
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-trusted-types/wiki/Trusted-Types-for-function-constructor
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wasdk/wasmparser
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/web-animations/web-animations-js
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.freedesktop.org/wayland/weston
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.freedesktop.org/xdg/xdgmime
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.freedesktop.org/xorg/proto/xproto/
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22MEDIA_ELEMENT_ERROR:
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22Media
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/rStTGz
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/xX8pDD
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/xX8pDDplay()
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/ximf56
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/ximf56Iframe
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gle/chrome-insecure-origins
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-analytics.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://googlevideo.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gvt1.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gvt2.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gvt6.com/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#Replaceable
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-operations
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/canvas.html#concept-canvas-will-read-frequently
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/canvas.html#concept-canvas-will-read-frequentlyOut
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/dom.html#custom-data-attribute.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64-decode
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903emulatePixelLocalStorageEmulate
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jimmy.warting.se/opensource
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://no-color.org/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/http.html#http_class_http_incomingmessage
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v18.14.0/node-v18.14.0-headers.tar.gz
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v18.14.0/node-v18.14.0.tar.gz
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v18.14.0/node-v18.14.0.tar.gzhttps://nodejs.org/download/release
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v18.14.0/win-x86/node.lib
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/en/docs/inspector
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/en/docs/inspectorFor
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/static/images/favicons/favicon.ico
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/static/images/favicons/favicon.icofaviconUrldevtoolsFrontendUrldevtoolsFrontendUr
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pagure.io/lohit
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).No
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://plus-innovations.com)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://semver.org/
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sindresorhus.com
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sindresorhus.com)
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/site/gaviotachessuser/Home/endgame-tablebases-1
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://source.chromium.org/chromium/chromium/src/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sourceforge.net/projects/wtl/files/WTL%2010/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sourcemaps.info/spec.html
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/08a0d6d9bf
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/157dc791df
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/206d99a16dd9212f
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/24083b579d.
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/2d76f2bcf65d256a
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/36937b197273d403
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/51e6959f61
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/68d284c86b082c3e
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/726219164b
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/83cb4a95a0
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/b40696f50145d21c
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/eb8613976a
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/0f0428096f17252a
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/b043a54c3de54b28
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/c94369cae9b561b1
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/ce8717f0885af975
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/fd76310a5e843e07
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: nsis-installer.exe, 00000000.00000003.2342167557.0000000004E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: nsis-installer.exe, 00000000.00000003.2342167557.0000000004E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swiftshader.googlesource.com/SwiftShader
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://systeminformation.io
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-timeclip
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#table-typeof-operator-results
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://testanything.org/tap-version-14-specification.html
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://testanything.org/tap-version-14-specification.html#subtests
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5234#appendix-B.1
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url-serializing
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/manifest/#installability-signals
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dom-performance-setresourcetimingbuffersize
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#grammardef-option-expression
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webassembly.github.io/spec/web-api
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-dictionary
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.ubuntuusers.de/lsblk/
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.buymeacoffee.com/systeminfo
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/4664843055398912
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5082396709879808
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5093566007214080
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5636954674692096
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5718547946799104
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5738264052891648
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5745543795965952
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5745543795965952unload/beforeunload
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5851021045661696.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5851021045661696.The
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/6662647093133312
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/6662647093133312InputDeviceCapabilities
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromium.org/blink/origin-trials/portals.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromium.org/blink/origin-trials/portals.The
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.4.0a.pdf
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.inetdaemon.com/tutorials/internet/ip/routing/default_route.shtml
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.raspberrypi.org/documentation/hardware/raspberrypi/revision-codes/README.md
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc9110#section-5.2
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/src/info/083f9e6270).
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/src/info/908f001483982c43
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/src/info/bba7b69f9849b5bf
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.swift.org/download/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.unicode.org/copyright.html.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\nsis-installer.exe

Code function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405461

Installs a raw input device (often for capturing keystrokes)

Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices() failed for RIDEV_REMOVE

memstr_8d7e117d-c

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\nsis-installer.exe

Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040338F

Detected potential crypto function

Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_00406B15	0_2_00406B15
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004072EC	0_2_004072EC
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_00404C9E	0_2_00404C9E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526B950	19_2_0526B950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_05266808	19_2_05266808
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526EE00	19_2_0526EE00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526B94F	19_2_0526B94F

Enables security privileges

Source: C:\Users\user\Desktop\nsis-installer.exe

Process token adjusted: Security

Jump to behavior

PE / OLE file has an invalid certificate

Source: nsis-installer.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: nsis-installer.exe, 00000000.00000003.2336434743.00000000050C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevk_swiftshader.dll, vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibEGL.dllb! vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dllb! vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2342229721.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameElevate.exeH vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dllb! vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevk_swiftshader.dll, vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2264196913.00000000050CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs nsis-installer.exe

Uses 32bit PE files

Source: nsis-installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@76/131@48/3

Source: C:\Users\user\Desktop\nsis-installer.exe

0_2_0040338F

Source: C:\Users\user\Desktop\nsis-installer.exe

Code function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404722

Source: C:\Users\user\Desktop\nsis-installer.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\nsis-installer.exe

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Users\user\Desktop\nsis-installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\cfbc383d-9aa0-5771-9485-7b806e8442d5

Source: C:\Users\user\Desktop\nsis-installer.exe

File created: C:\Users\user\AppData\Local\Temp\nscFBA.tmp

Jump to behavior

Source: nsis-installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SERENITYTHERAPYINSTALLER.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\nsis-installer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nsis-installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Selector or media text is not valid.Source range didn't match existing source rangeSource range didn't match existing style source rangeKeyframe key text is not valid.Style text is not valid.Selector or container query text is not valid.CQ Source range didn't match existing style source rangeSelector or supports rule text is not valid.Supports source range didn't match existing source rangeSelector or scope rule text is not valid.Scope source range didn't match existing source range' could not be added in style sheet.The rule '' could not be added in media rule.Cannot insert rule inside rule selector.Cannot insert rule in non-media rule.Source range must be collapsed.Rule text is not valid.Style is read-only.No style rule could be found in given range.No parent stylesheet could be found.Cannot remove rule from non-media rule./\[^]?\*/: none; }-webkit-boguz-propertee { -webkit-boguz-propertee : none; } }@keyframes boguzAnim { div {: none; } } { div { @media @container @scope -moz--o--ms-"' %
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

Source: nsis-installer.exe	ReversingLabs: Detection: 37%
Source: nsis-installer.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\nsis-installer.exe

File read: C:\Users\user\Desktop\nsis-installer.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nsis-installer.exe "C:\Users\user\Desktop\nsis-installer.exe"
Source: C:\Users\user\Desktop\nsis-installer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv \| %SYSTEMROOT%\System32\find.exe "SerenityTherapyInstaller.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe C:\Windows\System32\find.exe "SerenityTherapyInstaller.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\Desktop\nsis-installer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv \| %SYSTEMROOT%\System32\find.exe "SerenityTherapyInstaller.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe C:\Windows\System32\find.exe "SerenityTherapyInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"

Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msmpeg2vdec.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mfperfhelper.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dxva2.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msvproc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msmpeg2vdec.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mfperfhelper.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dxva2.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msvproc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll

Source: C:\Users\user\Desktop\nsis-installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\nsis-installer.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cfbc383d-9aa0-5771-9485-7b806e8442d5

Jump to behavior

Source: nsis-installer.exe

Static file information: File size 78057262 > 1048576

Source: nsis-installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: BCC = $(NCC) -nologo -W3 -Fd$*.pdb $(CCOPTS) $(BCCOPTS) source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: nsis-installer.exe, 00000000.00000003.2342229721.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: del /Q .exp .lo .ilk .lib .obj .ncb .pdb .sdf *.suo 2>NUL source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: LTCOMPILE = $(TCC) -Fo$@ -Fd$*.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: CLEANFILES="$CLEANFILES .lib .dll .pdb .exp" source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\STATEMENT.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\STATEMENT.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /OUT:"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.NODE" /INCREMENTAL:NO /NOLOGO KERNEL32.LIB USER32.LIB GDI32.LIB WINSPOOL.LIB COMDLG32.LIB ADVAPI32.LIB SHELL32.LIB OLE32.LIB OLEAUT32.LIB UUID.LIB ODBC32.LIB DELAYIMP.LIB "C:\\USERS\\ADMINISTRATOR\\.ELECTRON-GYP\\24.1.1\\IA32\\NODE.LIB" DELAYIMP.LIB /DELAYLOAD:NODE.EXE /MANIFEST /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.PDB" /OPT:REF /OPT:ICF /TLBID:1 /DYNAMICBASE /NXCOMPAT /MACHINE:X86 /SAFESEH /LTCG:INCREMENTAL /ignore:4199 /DLL RELEASE\OBJ\NODE_SQLITE3\WIN_DELAY_LOAD_HOOK.OBJ source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBCMT.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2265396042.00000000050CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| *.dSYM ) ;; source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -typedil-fC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\node-gyp\src\win_delay_load_hook.cc-Gs4096-dos-Zi-Z7-W3-pdbrpc-Og-Ob2-Ot-EHs-MT-GS-Gy-FitObjFunc-FitObjData-NoRTTI-FoC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\deps\Release\obj\sqlite3\win_delay_load_hook.obj-FdC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb-errorreport:queue source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\NODE_SQLITE3.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\NODE_SQLITE3.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBCPMT.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -FdC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb`)p) source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-GYP\SRC\WIN_DELAY_LOAD_HOOK.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SQLITE3EXEPDB = /pdb:sqlite3sh.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBVCRUNTIME.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** rbu_file.pDb!=0, then it is assumed to already be present on the source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BCC = $(NCC) -nologo -W4 -Fd$*.pdb $(CCOPTS) $(BCCOPTS) source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: nsis-installer.exe, 00000000.00000003.2336434743.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| .dSYM \| .o \| *.obj ) ;; source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| .dSYM \| .o \| *.obj ) source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\BACKUP.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\BACKUP.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** for all file descriptors with rbu_file.pDb!=0. If the argument has source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** rbu_file.pDb!=0. source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\DATABASE.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\DATABASE.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\vulkan-1.dll.pdb source: nsis-installer.exe, 00000000.00000003.2256512300.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2338261653.0000000004E41000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2256207119.0000000002E60000.00000004.00001000.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: d3dcompiler_47.dll.0.dr

Static PE information: 0xBEBD7FD7 [Fri May 29 01:54:31 2071 UTC]

PE file contains sections with non-standard names

Source: libEGL.dll.0.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.0.dr	Static PE information: section name: .00cfg
Source: SerenityTherapyInstaller.exe.0.dr	Static PE information: section name: .00cfg
Source: SerenityTherapyInstaller.exe.0.dr	Static PE information: section name: .rodata
Source: SerenityTherapyInstaller.exe.0.dr	Static PE information: section name: CPADinfo
Source: SerenityTherapyInstaller.exe.0.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll.0.dr	Static PE information: section name: .00cfg
Source: libEGL.dll0.0.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.0.dr	Static PE information: section name: .00cfg
Source: SerenityTherapyInstaller.exe0.0.dr	Static PE information: section name: .00cfg
Source: SerenityTherapyInstaller.exe0.0.dr	Static PE information: section name: .rodata
Source: SerenityTherapyInstaller.exe0.0.dr	Static PE information: section name: CPADinfo
Source: SerenityTherapyInstaller.exe0.0.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll0.0.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.0.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll0.0.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll0.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_05263426 push eax; retf	19_2_05263429
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_05265428 push eax; mov dword ptr [esp], edx	19_2_0526542C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526A750 push esi; iretd	19_2_0526A75E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526EDF0 push esi; iretd	19_2_0526EDFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526ECC1 pushad ; iretd	19_2_0526ECCE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526FE37 push esi; iretd	19_2_0526FE46

Drops PE files

Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\StdUtils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\496db3a3-1a7f-4f1b-9fcf-efdaeed463f0.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\SpiderBanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\8643e452-b938-4f7e-b6f6-6c79c3287391.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\SerenityTherapyInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\e10a37c2-8429-4258-9cd3-d725395e8215.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\a5cccf86-07fd-48a4-a9cf-7cd44af85556.tmp.node	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\496db3a3-1a7f-4f1b-9fcf-efdaeed463f0.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\8643e452-b938-4f7e-b6f6-6c79c3287391.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\a5cccf86-07fd-48a4-a9cf-7cd44af85556.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\e10a37c2-8429-4258-9cd3-d725395e8215.tmp.node	Jump to dropped file

Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\LICENSE.electron.txt			Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\nsis-installer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SerenityTherapyInstaller.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File opened: \Device\RasAcd count: 67341			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File opened: \Device\RasAcd count: 66586

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3944	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3555
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 508
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1308
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2376
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2388
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 645

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\StdUtils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\496db3a3-1a7f-4f1b-9fcf-efdaeed463f0.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\e10a37c2-8429-4258-9cd3-d725395e8215.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\SpiderBanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a5cccf86-07fd-48a4-a9cf-7cd44af85556.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8643e452-b938-4f7e-b6f6-6c79c3287391.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4776	Thread sleep count: 3944 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4776	Thread sleep count: 286 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3184	Thread sleep count: 3555 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep count: 508 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6452	Thread sleep count: 1308 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 988	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5028	Thread sleep count: 2376 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5164	Thread sleep count: 84 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3660	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4924	Thread sleep count: 2388 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6924	Thread sleep count: 89 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568	Thread sleep count: 645 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3756	Thread sleep time: -922337203685477s >= -30000s

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\nsis-installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user FullSizeInformation

Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Jump to behavior

Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Virtual Webcam
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (lines.indexOf('VRTUAL') >= 0 \|\| lines.indexOf('A M I ') >= 0 \|\| lines.indexOf('VirtualBox') >= 0 \|\| lines.indexOf('VMWare') >= 0 \|\| lines.indexOf('Xen') >= 0 \|\| lines.indexOf('Parallels') >= 0) {
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: nsis-installer.exe, 00000000.00000003.2342441523.0000000002DA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdK
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'Hyper-V';
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: const stdout = execSync('dmesg 2>/dev/null \| grep -iE "virtual\|hypervisor" \| grep -iE "vmware\|qemu\|kvm\|xen" \| grep -viE "Nested Virtualization\|/virtual/"');
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if (str.indexOf('tcg') >= 0) { result = 'QEMU'; }
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (lines.indexOf('VMware') >= 0 && !result.virtualHost) {
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Virtual WebcamMedia.VideoCapture.BlacklistedDeviceGoogle Camera AdapterIP Camera [JPEG/MJPEG]CyberLink Webcam SplitterEpocCamWebcamMax..\..\media\capture\video\video_capture_metrics.ccDevice supports Media.VideoCapture.Device.SupportedPixelFormatMedia.VideoCapture.Device.SupportedResolution
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: case 'vmware':
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (stdout.toString().toLowerCase().indexOf('vmware') >= 0 && !result.virtualHost) {
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (model.startsWith('vmware')) { result.virtualHost = 'VMware'; }
Source: nsis-installer.exe, 00000000.00000003.2335886092.0000000002DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if (str.indexOf('qemu') >= 0) { result = 'QEMU'; }
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (manufacturer.startsWith('vmware') \|\| manufacturer.startsWith('qemu') \|\| manufacturer === 'xen' \|\| manufacturer.startsWith('parallels')) {
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (manufacturer.startsWith('qemu')) { result.virtualHost = 'KVM'; }
Source: nsis-installer.exe, 00000000.00000003.2265396042.00000000050CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tga
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (manufacturer.startsWith('vmware')) { result.virtualHost = 'VMware'; }
Source: nsis-installer.exe, 00000000.00000003.2335886092.0000000002DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f562
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (IsLinux() && isVMWare) \|\| (IsAndroid() && isNvidia) \|\| (IsAndroid() && GetAndroidSdkLevel() < 27 && IsAdreno5xxOrOlder(functions)) \|\| (IsAndroid() && IsMaliT8xxOrOlder(functions)) \|\| (IsAndroid() && IsMaliG31OrOlder(functions))
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'VMware';
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (model === 'virtualbox' \|\| model === 'kvm' \|\| model === 'virtual machine' \|\| model === 'bochs' \|\| model.startsWith('vmware') \|\| model.startsWith('qemu') \|\| model.startsWith('parallels')) {
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (stdout.toString().toLowerCase().indexOf('qemu') >= 0 && !result.virtualHost) {
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (result.model.toLowerCase() === 'virtualbox' \|\| result.model.toLowerCase() === 'kvm' \|\| result.model.toLowerCase() === 'virtual machine' \|\| result.model.toLowerCase() === 'bochs' \|\| result.model.toLowerCase().startsWith('vmware') \|\| result.model.toLowerCase().startsWith('droplet')) {
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (model.startsWith('qemu')) { result.virtualHost = 'KVM'; }
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (result.manufacturer.toLowerCase().startsWith('vmware') \|\| result.manufacturer.toLowerCase() === 'xen') {
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'VMware';
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'QEMU';
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'VMware';
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IIAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTest
Source: nsis-installer.exe, 00000000.00000003.2342518948.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#Cd
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if (str.indexOf('vmware') >= 0) { result = 'VMware'; }
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: case 'vmware':
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (disksById.indexOf('_QEMU_') >= 0) {
Source: nsis-installer.exe, 00000000.00000003.2265396042.00000000050CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Screen Codec / VMware Video

Source: C:\Users\user\Desktop\nsis-installer.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\nsis-installer.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\nsis-installer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv \| %SYSTEMROOT%\System32\find.exe "SerenityTherapyInstaller.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe C:\Windows\System32\find.exe "SerenityTherapyInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2

Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ..\..\third_party\webrtc\modules\desktop_capture\win\window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_ProgmanWindowsDeleteStringWindowsCreateString
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: ..\..\electron\shell\browser\ui\views\electron_views_delegate_win.ccGetAppbarAutohideEdgesShell_TrayWnd

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\resources\app.asar VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\SysWOW64\cmd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\SysWOW64\cmd.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user\AppData\Roaming\SerenityTherapyInstaller\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation

Source: C:\Users\user\Desktop\nsis-installer.exe

0_2_0040338F

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\Discord
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordCanary
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordPTB

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
chrome.cloudflare-dns.com	172.64.41.3	true
ipinfo.io	34.117.186.192	true
illitmagnetic.site	unknown	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nsis-installer.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\496db3a3-1a7f-4f1b-9fcf-efdaeed463f0.tmp.node	Virustotal: Detection: 7%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\8643e452-b938-4f7e-b6f6-6c79c3287391.tmp.node	Virustotal: Detection: 8%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\a5cccf86-07fd-48a4-a9cf-7cd44af85556.tmp.node	Virustotal: Detection: 7%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\e10a37c2-8429-4258-9cd3-d725395e8215.tmp.node	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for submitted file

Source: nsis-installer.exe	ReversingLabs: Detection: 37%
Source: nsis-installer.exe	Virustotal: Detection: 30%			Perma Link

Uses 32bit PE files

Source: nsis-installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\nsis-installer.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cfbc383d-9aa0-5771-9485-7b806e8442d5

Jump to behavior

Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\LICENSE.electron.txt			Jump to behavior

Source: nsis-installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: BCC = $(NCC) -nologo -W3 -Fd$*.pdb $(CCOPTS) $(BCCOPTS) source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: nsis-installer.exe, 00000000.00000003.2342229721.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: del /Q .exp .lo .ilk .lib .obj .ncb .pdb .sdf *.suo 2>NUL source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: LTCOMPILE = $(TCC) -Fo$@ -Fd$*.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: CLEANFILES="$CLEANFILES .lib .dll .pdb .exp" source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\STATEMENT.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\STATEMENT.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /OUT:"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.NODE" /INCREMENTAL:NO /NOLOGO KERNEL32.LIB USER32.LIB GDI32.LIB WINSPOOL.LIB COMDLG32.LIB ADVAPI32.LIB SHELL32.LIB OLE32.LIB OLEAUT32.LIB UUID.LIB ODBC32.LIB DELAYIMP.LIB "C:\\USERS\\ADMINISTRATOR\\.ELECTRON-GYP\\24.1.1\\IA32\\NODE.LIB" DELAYIMP.LIB /DELAYLOAD:NODE.EXE /MANIFEST /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.PDB" /OPT:REF /OPT:ICF /TLBID:1 /DYNAMICBASE /NXCOMPAT /MACHINE:X86 /SAFESEH /LTCG:INCREMENTAL /ignore:4199 /DLL RELEASE\OBJ\NODE_SQLITE3\WIN_DELAY_LOAD_HOOK.OBJ source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBCMT.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2265396042.00000000050CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| *.dSYM ) ;; source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -typedil-fC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\node-gyp\src\win_delay_load_hook.cc-Gs4096-dos-Zi-Z7-W3-pdbrpc-Og-Ob2-Ot-EHs-MT-GS-Gy-FitObjFunc-FitObjData-NoRTTI-FoC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\deps\Release\obj\sqlite3\win_delay_load_hook.obj-FdC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb-errorreport:queue source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\NODE_SQLITE3.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\NODE_SQLITE3.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBCPMT.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -FdC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb`)p) source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-GYP\SRC\WIN_DELAY_LOAD_HOOK.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SQLITE3EXEPDB = /pdb:sqlite3sh.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBVCRUNTIME.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** rbu_file.pDb!=0, then it is assumed to already be present on the source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BCC = $(NCC) -nologo -W4 -Fd$*.pdb $(CCOPTS) $(BCCOPTS) source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: nsis-installer.exe, 00000000.00000003.2336434743.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| .dSYM \| .o \| *.obj ) ;; source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| .dSYM \| .o \| *.obj ) source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\BACKUP.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\BACKUP.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** for all file descriptors with rbu_file.pDb!=0. If the argument has source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** rbu_file.pDb!=0. source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\DATABASE.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\DATABASE.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\vulkan-1.dll.pdb source: nsis-installer.exe, 00000000.00000003.2256512300.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2338261653.0000000004E41000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2256207119.0000000002E60000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Jump to behavior

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 172.64.41.3 172.64.41.3

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: V8.MemoryHeapUsedV8.MemoryHeapCommittedmail.google.com.gmaildrive.google.com.docsplus.google.com.plus.inbox.calendarwww.youtube.com.youtube.top10sina.com.cnfacebook.combaidu.comtwitter.comtaobao.comwikipedia equals www.youtube.com (Youtube)
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: unknown

Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1085
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1452
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1452expandIntegerPowExpressionsThe
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1512
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1637
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1936
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2046
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2152
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2152skipVSConstantRegisterZeroIn
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2273
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2894
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2978
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3027
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3045
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3246
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3246allowClearForRobustResourceInitSome
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3682
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3682allowES3OnFL100Allow
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3729
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3997
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4214
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4267
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4646
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/482
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007disableDrawBuffersIndexedDisable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5469
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5577
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658forceGlErrorCheckingForce
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750forceRobustResourceInitForce-enable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041forceInitShaderVariablesForce-enable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036dumpShaderSourceWrite
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279cacheCompiledShaderEnable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7527
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724disableAnisotropicFilteringDisable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760enableShaderSubstitutionCheck
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761Frontend
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://blog.izs.me)
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://blog.izs.me/)
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository100.
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cgit.freedesktop.org/xorg/xserver/tree/COPYING
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cldr.unicode.org/index/downloads
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/smhasher/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/v8
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1094869
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/110263
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1144207
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1165751
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1165751disableProgramBinaryDisable
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1171371
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1181068
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1181193
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/308366
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/403957
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/550292
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/565179
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/642227
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/642605
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/644669
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/650547
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/672380
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/709351
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/797243
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/809422
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/830046
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/849576
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/883276
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/927470
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/941620
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThere
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gds1-20
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://devel.freebsoft.org/speechd
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://developer.android.com/tools/extras/support-library.html
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/common
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/commonnode-set..
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedorahosted.org/lohit>
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fossil-scm.org).
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedesktop.org
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://git.linuxtv.org/v4l-utils.git
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.github.io/snappy/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icl.com/saxon
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icl.com/saxonorg.apache.xalan.xslt.extensions.RedirectxsltDocumentElem:
Source: nsis-installer.exe, 00000000.00000003.2342229721.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://int3.de/
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://istanbul-js.org/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://labs.creativecommons.org/licenses/zero-waive/1.0/us/legalcode>
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://localhosthttp://127.0.0.1object-src
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mxr.mozilla.org/comm-central/source/mozilla/netwerk/base/src/nsURLParsers.cpp
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://n8.io/)
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://narwhaljs.org)
Source: nsis-installer.exe, 00000000.00000002.2380954483.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nsis-installer.exe, 00000000.00000000.2130486279.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0J
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://re-becca.org)
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://re-becca.org/)
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s..
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFL
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://source.android.com/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://source.android.com/compatibility)
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/xz/COPYING
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tukaani.org/xz/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://valgrind.org
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://web.archive.org/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://webkit.org/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wpad/wpad.dat
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wpad/wpad.dat..
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chromium.org
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fossil-scm.org/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freedesktop.org/wiki/Software/xdg-user-dirs
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.futurealoof.com)
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gutenberg.org/ebooks/53).
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.icu-project.org/userguide/posix.html#case_mappings
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jclark.com/xt
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.linux-usb.org/usb-ids.html
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nongnu.org/freebangfont/downloads.html#mukti
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ploscompbiol.org/static/license
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.software-architect.net/blog/article/date/2015/06/12/-826c6e5052.html
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/compile.html).
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/src/info/6709574d2a
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/src/info/f2369304e4
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/tclsqlite.html
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.strongtalk.org/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suitable.com
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suitable.com/tools/smslib.html
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suitable.com/tools/smslib.html>
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org
Source: nsis-installer.exe, 00000000.00000003.2185816773.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.webrtc.org
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/namespace
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/namespacehttp://www.jclark.com/xtxsl:key
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT/xsltNewExtDef
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zlib.net/
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4674
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4849
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5140
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5536
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246enableCaptureLimitsSet
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7405
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/uploadhttps://beacons.gvt2.com/domainreliability/uplo
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3rpDuEX.
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3rpDuEX.WebBundleURLLoaderFactory::OnResponseParsedInvalid
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.htmlMixed
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.fuchsia.dev/p/fuchsia/issues/detail?id=107106
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.android.clients.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.bigcache.googleapis.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.doc-0-0-sj.sj.googleusercontent.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.docs.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.drive.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.googlesyndication.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.pack.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.play.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://c.youtube.com/
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://chrome-devtools-frontend.appspot.com/
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC
Source: nsis-installer.exe, 00000000.00000003.2342167557.0000000004E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: nsis-installer.exe, 00000000.00000003.2342167557.0000000004E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/feature/5105856067141632.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/feature/5463833265045504.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromestatus.com/feature/5463833265045504.Found
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/angle/angle/
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/chromium/src/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/vulkan-deps/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/webm/libwebm
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/webm/libwebp
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/domainreliability/upload
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1038223.
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1042393
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1046462
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1060012
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1091824
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1137851
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1154140
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1300575
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1356053
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1412729
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593024
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593024selectViewInGeometryShaderThe
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/619103.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/619103.Subsequence
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/650547
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/650547callClearTwiceUsing
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/655534
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/655534useSystemMemoryForConstantBuffersCopying
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/705865
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/710443
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/811661
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/848952
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/927119
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/927119..
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/981419
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/v8/7848
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by/3.0/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-handling.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dejavu-fonts.github.io/Download.html
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/blog/enabling-shared-array-buffer/
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/blog/immutable-document-domain/
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/cross-origin-isolation/.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developers.google.com/android/guides/setup
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developers.google.com/web/updates/2016/08/removing-document-write
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://elinux.org/RPI_vcgencmd_usage
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://elinux.org/RPi_HardwareHistory
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-flush
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gcp.gvt2.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gcp.gvt6.com/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Buzut)
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Cyan4973/xxHash
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/GoogleChromeLabs/text-fragments-polyfill
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Cross
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers.git
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools.git
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/Vulkan-Headers
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/Vulkan-Loader
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Squirrel/Squirrel.Mac
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/TooTallNate/util-deprecate
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.border-boxcontent-bo
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/shared-element-transitions/blob/main/debugging_overflow_on_images.md.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WICG/view-transitions/blob/main/debugging_overflow_on_images.md
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aawc/unrar.git
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/supports-color
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/csy1983)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/electron/electron/issues/18397.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/electron/electron/issues/18397.Module
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/glegrain)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/diff-match-patch/tree/master/javascript
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/distributed_point_functions
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/google-api-cpp-client/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/ruy
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/ukey2
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/woff2
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/wuffs-mirror-release-c
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/xnnpack
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/heycam/webidl/pull/946.
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iarna/unique-filename
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iarna/unique-filename.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/iarna/wide-align
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/color-support.
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/minipass.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/node-tar.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/yallist.git
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lapsio)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-fs
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-fs.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-stream
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/tar-stream.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mikeal/tunnel-agent
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13581
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35452
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39707
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/45699
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/32887
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35941
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/43714
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/44952
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46161
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/string_decoder
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-semver.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-tar/blob/51b6627a1f357d2eb433e7378e5f05e83b7aa6cd/lib/header.js#L349
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-tar/issues/183
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/node-tar/pull/187
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/ssri
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/npm/wrappy
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/richy24)
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sebhildebrandt/systeminformation.git
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/sindresorhus
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/models
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/tensorflow
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/text.git
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/tflite-support
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/ServiceWorker/issues/1356.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/ServiceWorker/issues/1356.v8.produceCachev8.produceModuleCacheV8.ProduceCodeC
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/gamepad/pull/120
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/gamepad/pull/120Access
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-features
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#sensor-featuresDeviceOri
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/webappsec-trusted-types/wiki/Trusted-Types-for-function-constructor
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wasdk/wasmparser
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/web-animations/web-animations-js
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.freedesktop.org/wayland/weston
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.freedesktop.org/xdg/xdgmime
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.freedesktop.org/xorg/proto/xproto/
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22MEDIA_ELEMENT_ERROR:
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/LdLk22Media
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/rStTGz
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/xX8pDD
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/xX8pDDplay()
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/ximf56
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/ximf56Iframe
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gle/chrome-insecure-origins
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-analytics.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://googlevideo.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gvt1.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gvt2.com/
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gvt6.com/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#Replaceable
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-operations
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/canvas.html#concept-canvas-will-read-frequently
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/canvas.html#concept-canvas-will-read-frequentlyOut
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/dom.html#custom-data-attribute.
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64-decode
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903emulatePixelLocalStorageEmulate
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: nsis-installer.exe, 00000000.00000003.2261777652.0000000007290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jimmy.warting.se/opensource
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://no-color.org/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/http.html#http_class_http_incomingmessage
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v18.14.0/node-v18.14.0-headers.tar.gz
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v18.14.0/node-v18.14.0.tar.gz
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v18.14.0/node-v18.14.0.tar.gzhttps://nodejs.org/download/release
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v18.14.0/win-x86/node.lib
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/en/docs/inspector
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/en/docs/inspectorFor
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/static/images/favicons/favicon.ico
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/static/images/favicons/favicon.icofaviconUrldevtoolsFrontendUrldevtoolsFrontendUr
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pagure.io/lohit
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).No
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://plus-innovations.com)
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://semver.org/
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sindresorhus.com
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sindresorhus.com)
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/site/gaviotachessuser/Home/endgame-tablebases-1
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://source.chromium.org/chromium/chromium/src/
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sourceforge.net/projects/wtl/files/WTL%2010/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sourcemaps.info/spec.html
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/08a0d6d9bf
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/157dc791df
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/206d99a16dd9212f
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/24083b579d.
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/2d76f2bcf65d256a
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/36937b197273d403
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/51e6959f61
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/68d284c86b082c3e
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/726219164b
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/83cb4a95a0
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/b40696f50145d21c
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/forum/forumpost/eb8613976a
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/0f0428096f17252a
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/b043a54c3de54b28
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/c94369cae9b561b1
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/ce8717f0885af975
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sqlite.org/src/info/fd76310a5e843e07
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: nsis-installer.exe, 00000000.00000003.2342167557.0000000004E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: nsis-installer.exe, 00000000.00000003.2342167557.0000000004E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swiftshader.googlesource.com/SwiftShader
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://systeminformation.io
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-timeclip
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#table-typeof-operator-results
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://testanything.org/tap-version-14-specification.html
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://testanything.org/tap-version-14-specification.html#subtests
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5234#appendix-B.1
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url-serializing
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/manifest/#installability-signals
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dom-performance-setresourcetimingbuffersize
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#grammardef-option-expression
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webassembly.github.io/spec/web-api
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-dictionary
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.ubuntuusers.de/lsblk/
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.buymeacoffee.com/systeminfo
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/4664843055398912
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5082396709879808
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5093566007214080
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5636954674692096
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5718547946799104
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5738264052891648
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5745543795965952
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5745543795965952unload/beforeunload
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5851021045661696.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/5851021045661696.The
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/6662647093133312
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromestatus.com/feature/6662647093133312InputDeviceCapabilities
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromium.org/blink/origin-trials/portals.
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.chromium.org/blink/origin-trials/portals.The
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.4.0a.pdf
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.inetdaemon.com/tutorials/internet/ip/routing/default_route.shtml
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.raspberrypi.org/documentation/hardware/raspberrypi/revision-codes/README.md
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc9110#section-5.2
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/src/info/083f9e6270).
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/src/info/908f001483982c43
Source: nsis-installer.exe, 00000000.00000003.2203135466.00000000057C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/src/info/bba7b69f9849b5bf
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.swift.org/download/
Source: nsis-installer.exe, 00000000.00000003.2261150815.0000000006D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: nsis-installer.exe, 00000000.00000003.2276494222.00000000050C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.unicode.org/copyright.html.
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\nsis-installer.exe

0_2_00405461

Installs a raw input device (often for capturing keystrokes)

Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices() failed for RIDEV_REMOVE

memstr_8d7e117d-c

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\nsis-installer.exe

0_2_0040338F

Detected potential crypto function

Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_00406B15	0_2_00406B15
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004072EC	0_2_004072EC
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_00404C9E	0_2_00404C9E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526B950	19_2_0526B950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_05266808	19_2_05266808
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526EE00	19_2_0526EE00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526B94F	19_2_0526B94F

Enables security privileges

Source: C:\Users\user\Desktop\nsis-installer.exe

Process token adjusted: Security

Jump to behavior

PE / OLE file has an invalid certificate

Source: nsis-installer.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: nsis-installer.exe, 00000000.00000003.2336434743.00000000050C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevk_swiftshader.dll, vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibEGL.dllb! vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dllb! vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2342229721.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameElevate.exeH vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dllb! vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevk_swiftshader.dll, vs nsis-installer.exe
Source: nsis-installer.exe, 00000000.00000003.2264196913.00000000050CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs nsis-installer.exe

Uses 32bit PE files

Source: nsis-installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@76/131@48/3

Source: C:\Users\user\Desktop\nsis-installer.exe

0_2_0040338F

Source: C:\Users\user\Desktop\nsis-installer.exe

Code function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404722

Source: C:\Users\user\Desktop\nsis-installer.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\nsis-installer.exe

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Users\user\Desktop\nsis-installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\cfbc383d-9aa0-5771-9485-7b806e8442d5

Source: C:\Users\user\Desktop\nsis-installer.exe

File created: C:\Users\user\AppData\Local\Temp\nscFBA.tmp

Jump to behavior

Source: nsis-installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SERENITYTHERAPYINSTALLER.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\nsis-installer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nsis-installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: nsis-installer.exe, 00000000.00000003.2261777652.000000000752F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Selector or media text is not valid.Source range didn't match existing source rangeSource range didn't match existing style source rangeKeyframe key text is not valid.Style text is not valid.Selector or container query text is not valid.CQ Source range didn't match existing style source rangeSelector or supports rule text is not valid.Supports source range didn't match existing source rangeSelector or scope rule text is not valid.Scope source range didn't match existing source range' could not be added in style sheet.The rule '' could not be added in media rule.Cannot insert rule inside rule selector.Cannot insert rule in non-media rule.Source range must be collapsed.Rule text is not valid.Style is read-only.No style rule could be found in given range.No parent stylesheet could be found.Cannot remove rule from non-media rule./\[^]?\*/: none; }-webkit-boguz-propertee { -webkit-boguz-propertee : none; } }@keyframes boguzAnim { div {: none; } } { div { @media @container @scope -moz--o--ms-"' %
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

Source: nsis-installer.exe	ReversingLabs: Detection: 37%
Source: nsis-installer.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\nsis-installer.exe

File read: C:\Users\user\Desktop\nsis-installer.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nsis-installer.exe "C:\Users\user\Desktop\nsis-installer.exe"
Source: C:\Users\user\Desktop\nsis-installer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv \| %SYSTEMROOT%\System32\find.exe "SerenityTherapyInstaller.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe C:\Windows\System32\find.exe "SerenityTherapyInstaller.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\Desktop\nsis-installer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv \| %SYSTEMROOT%\System32\find.exe "SerenityTherapyInstaller.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe C:\Windows\System32\find.exe "SerenityTherapyInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"

Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msmpeg2vdec.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mfperfhelper.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dxva2.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msvproc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msmpeg2vdec.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mfperfhelper.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dxva2.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: msvproc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Section loaded: uiautomationcore.dll

Source: C:\Users\user\Desktop\nsis-installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\nsis-installer.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cfbc383d-9aa0-5771-9485-7b806e8442d5

Jump to behavior

Source: nsis-installer.exe

Static file information: File size 78057262 > 1048576

Source: nsis-installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: BCC = $(NCC) -nologo -W3 -Fd$*.pdb $(CCOPTS) $(BCCOPTS) source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: nsis-installer.exe, 00000000.00000003.2342229721.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: del /Q .exp .lo .ilk .lib .obj .ncb .pdb .sdf *.suo 2>NUL source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: LTCOMPILE = $(TCC) -Fo$@ -Fd$*.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: CLEANFILES="$CLEANFILES .lib .dll .pdb .exp" source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\STATEMENT.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\STATEMENT.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /OUT:"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.NODE" /INCREMENTAL:NO /NOLOGO KERNEL32.LIB USER32.LIB GDI32.LIB WINSPOOL.LIB COMDLG32.LIB ADVAPI32.LIB SHELL32.LIB OLE32.LIB OLEAUT32.LIB UUID.LIB ODBC32.LIB DELAYIMP.LIB "C:\\USERS\\ADMINISTRATOR\\.ELECTRON-GYP\\24.1.1\\IA32\\NODE.LIB" DELAYIMP.LIB /DELAYLOAD:NODE.EXE /MANIFEST /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /manifest:embed /DEBUG /PDB:"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\NODE_SQLITE3.PDB" /OPT:REF /OPT:ICF /TLBID:1 /DYNAMICBASE /NXCOMPAT /MACHINE:X86 /SAFESEH /LTCG:INCREMENTAL /ignore:4199 /DLL RELEASE\OBJ\NODE_SQLITE3\WIN_DELAY_LOAD_HOOK.OBJ source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBCMT.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2265396042.00000000050CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| *.dSYM ) ;; source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -typedil-fC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\node-gyp\src\win_delay_load_hook.cc-Gs4096-dos-Zi-Z7-W3-pdbrpc-Og-Ob2-Ot-EHs-MT-GS-Gy-FitObjFunc-FitObjData-NoRTTI-FoC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\deps\Release\obj\sqlite3\win_delay_load_hook.obj-FdC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb-errorreport:queue source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\NODE_SQLITE3.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\NODE_SQLITE3.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBCPMT.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -FdC:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb`)p) source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2269640861.00000000050C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-GYP\SRC\WIN_DELAY_LOAD_HOOK.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SQLITE3EXEPDB = /pdb:sqlite3sh.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES\MICROSOFT VISUAL STUDIO\2022\COMMUNITY\VC\TOOLS\MSVC\14.39.33519\LIB\X86\LIBVCRUNTIME.I386.PDB source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** rbu_file.pDb!=0, then it is assumed to already be present on the source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BCC = $(NCC) -nologo -W4 -Fd$*.pdb $(CCOPTS) $(BCCOPTS) source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: nsis-installer.exe, 00000000.00000003.2336434743.00000000050C2000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| .dSYM \| .o \| *.obj ) ;; source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .$ac_ext \| .xcoff \| .tds \| .d \| .pdb \| .xSYM \| .bb \| .bbg \| .map \| .inf \| .dSYM \| .o \| *.obj ) source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\BACKUP.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\BACKUP.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\duvet\src\builds\iL3GxpTZu\source\node_modules\sqlite3\build\Release\sqlite3.pdb source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** for all file descriptors with rbu_file.pDb!=0. If the argument has source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: nsis-installer.exe, 00000000.00000003.2208092330.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ** rbu_file.pDb!=0. source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /c /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\INCLUDE\NODE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\SRC" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\CONFIG" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\OPENSSL\OPENSSL\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\UV\INCLUDE" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\ZLIB" /I"C:\USERS\ADMINISTRATOR\.ELECTRON-GYP\24.1.1\DEPS\V8\INCLUDE" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\NODE-ADDON-API" /I"C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\BUILD\RELEASE\OBJ\GLOBAL_INTERMEDIATE\SQLITE-AUTOCONF-3440200" /Z7 /nologo /W3 /WX- /diagnostics:column /Ox /Ob2 /Oi /Ot /Oy /GL /D NODE_GYP_MODULE_NAME=node_sqlite3 /D USING_UV_SHARED=1 /D USING_V8_SHARED=1 /D V8_DEPRECATION_WARNINGS=1 /D V8_DEPRECATION_WARNINGS /D V8_IMMINENT_DEPRECATION_WARNINGS /D _GLIBCXX_USE_CXX11_ABI=1 /D ELECTRON_ENSURE_CONFIG_GYPI /D WIN32 /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE /D _HAS_EXCEPTIONS=0 /D OPENSSL_NO_PINSHARED /D OPENSSL_THREADS /D NAPI_VERSION=8 /D NAPI_DISABLE_CPP_EXCEPTIONS=1 /D SQLITE_THREADSAFE=1 /D HAVE_USLEEP=1 /D SQLITE_ENABLE_FTS3 /D SQLITE_ENABLE_FTS4 /D SQLITE_ENABLE_FTS5 /D SQLITE_ENABLE_RTREE /D SQLITE_ENABLE_DBSTAT_VTAB=1 /D SQLITE_ENABLE_MATH_FUNCTIONS /D BUILDING_NODE_EXTENSION /D "HOST_BINARY=\"node.exe\"" /D NDEBUG /D _WINDLL /GF /Gm- /EHsc /MT /GS /Gy /fp:precise /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"RELEASE\OBJ\NODE_SQLITE3\\SRC\DATABASE.OBJ" /Fd"RELEASE\OBJ\NODE_SQLITE3\VC143.PDB" /external:W3 /Gd /TP /wd4351 /wd4355 /wd4800 /wd4251 /wd4275 /wd4244 /wd4267 /analyze- /FC /Zc:__cplusplus -std:c++17 C:\USERS\ADMINISTRATOR\DESKTOP\DUVET\SRC\BUILDS\IL3GXPTZU\SOURCE\NODE_MODULES\SQLITE3\SRC\DATABASE.CC source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\src\out\Default\vulkan-1.dll.pdb source: nsis-installer.exe, 00000000.00000003.2256512300.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2338261653.0000000004E41000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2260611134.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2256207119.0000000002E60000.00000004.00001000.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: d3dcompiler_47.dll.0.dr

Static PE information: 0xBEBD7FD7 [Fri May 29 01:54:31 2071 UTC]

PE file contains sections with non-standard names

Source: libEGL.dll.0.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.0.dr	Static PE information: section name: .00cfg
Source: SerenityTherapyInstaller.exe.0.dr	Static PE information: section name: .00cfg
Source: SerenityTherapyInstaller.exe.0.dr	Static PE information: section name: .rodata
Source: SerenityTherapyInstaller.exe.0.dr	Static PE information: section name: CPADinfo
Source: SerenityTherapyInstaller.exe.0.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll.0.dr	Static PE information: section name: .00cfg
Source: libEGL.dll0.0.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.0.dr	Static PE information: section name: .00cfg
Source: SerenityTherapyInstaller.exe0.0.dr	Static PE information: section name: .00cfg
Source: SerenityTherapyInstaller.exe0.0.dr	Static PE information: section name: .rodata
Source: SerenityTherapyInstaller.exe0.0.dr	Static PE information: section name: CPADinfo
Source: SerenityTherapyInstaller.exe0.0.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll0.0.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.0.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll0.0.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll0.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_05263426 push eax; retf	19_2_05263429
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_05265428 push eax; mov dword ptr [esp], edx	19_2_0526542C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526A750 push esi; iretd	19_2_0526A75E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526EDF0 push esi; iretd	19_2_0526EDFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526ECC1 pushad ; iretd	19_2_0526ECCE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0526FE37 push esi; iretd	19_2_0526FE46

Drops PE files

Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\StdUtils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\496db3a3-1a7f-4f1b-9fcf-efdaeed463f0.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\SpiderBanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\8643e452-b938-4f7e-b6f6-6c79c3287391.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\SerenityTherapyInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\e10a37c2-8429-4258-9cd3-d725395e8215.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\a5cccf86-07fd-48a4-a9cf-7cd44af85556.tmp.node	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\496db3a3-1a7f-4f1b-9fcf-efdaeed463f0.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\8643e452-b938-4f7e-b6f6-6c79c3287391.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\a5cccf86-07fd-48a4-a9cf-7cd44af85556.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\e10a37c2-8429-4258-9cd3-d725395e8215.tmp.node	Jump to dropped file

Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\LICENSE.electron.txt			Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\nsis-installer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SerenityTherapyInstaller.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File opened: \Device\RasAcd count: 67341			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File opened: \Device\RasAcd count: 66586

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3944	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3555
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 508
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1308
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2376
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2388
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 645

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\StdUtils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\496db3a3-1a7f-4f1b-9fcf-efdaeed463f0.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\e10a37c2-8429-4258-9cd3-d725395e8215.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\SpiderBanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a5cccf86-07fd-48a4-a9cf-7cd44af85556.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8643e452-b938-4f7e-b6f6-6c79c3287391.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nsis-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4776	Thread sleep count: 3944 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4776	Thread sleep count: 286 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3184	Thread sleep count: 3555 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep count: 508 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6452	Thread sleep count: 1308 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 988	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5028	Thread sleep count: 2376 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5164	Thread sleep count: 84 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3660	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4924	Thread sleep count: 2388 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6924	Thread sleep count: 89 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568	Thread sleep count: 645 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3756	Thread sleep time: -922337203685477s >= -30000s

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\nsis-installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user FullSizeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	File Volume queried: C:\Users\user FullSizeInformation

Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\nsis-installer.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller	Jump to behavior
Source: C:\Users\user\Desktop\nsis-installer.exe	File opened: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Jump to behavior

Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Virtual Webcam
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (lines.indexOf('VRTUAL') >= 0 \|\| lines.indexOf('A M I ') >= 0 \|\| lines.indexOf('VirtualBox') >= 0 \|\| lines.indexOf('VMWare') >= 0 \|\| lines.indexOf('Xen') >= 0 \|\| lines.indexOf('Parallels') >= 0) {
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: nsis-installer.exe, 00000000.00000003.2342441523.0000000002DA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdK
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'Hyper-V';
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: const stdout = execSync('dmesg 2>/dev/null \| grep -iE "virtual\|hypervisor" \| grep -iE "vmware\|qemu\|kvm\|xen" \| grep -viE "Nested Virtualization\|/virtual/"');
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if (str.indexOf('tcg') >= 0) { result = 'QEMU'; }
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (lines.indexOf('VMware') >= 0 && !result.virtualHost) {
Source: nsis-installer.exe, 00000000.00000003.2260879693.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Virtual WebcamMedia.VideoCapture.BlacklistedDeviceGoogle Camera AdapterIP Camera [JPEG/MJPEG]CyberLink Webcam SplitterEpocCamWebcamMax..\..\media\capture\video\video_capture_metrics.ccDevice supports Media.VideoCapture.Device.SupportedPixelFormatMedia.VideoCapture.Device.SupportedResolution
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: case 'vmware':
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (stdout.toString().toLowerCase().indexOf('vmware') >= 0 && !result.virtualHost) {
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (model.startsWith('vmware')) { result.virtualHost = 'VMware'; }
Source: nsis-installer.exe, 00000000.00000003.2335886092.0000000002DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f
Source: nsis-installer.exe, 00000000.00000003.2203332099.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if (str.indexOf('qemu') >= 0) { result = 'QEMU'; }
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (manufacturer.startsWith('vmware') \|\| manufacturer.startsWith('qemu') \|\| manufacturer === 'xen' \|\| manufacturer.startsWith('parallels')) {
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (manufacturer.startsWith('qemu')) { result.virtualHost = 'KVM'; }
Source: nsis-installer.exe, 00000000.00000003.2265396042.00000000050CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tga
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (manufacturer.startsWith('vmware')) { result.virtualHost = 'VMware'; }
Source: nsis-installer.exe, 00000000.00000003.2335886092.0000000002DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f562
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (IsLinux() && isVMWare) \|\| (IsAndroid() && isNvidia) \|\| (IsAndroid() && GetAndroidSdkLevel() < 27 && IsAdreno5xxOrOlder(functions)) \|\| (IsAndroid() && IsMaliT8xxOrOlder(functions)) \|\| (IsAndroid() && IsMaliG31OrOlder(functions))
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'VMware';
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (model === 'virtualbox' \|\| model === 'kvm' \|\| model === 'virtual machine' \|\| model === 'bochs' \|\| model.startsWith('vmware') \|\| model.startsWith('qemu') \|\| model.startsWith('parallels')) {
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (stdout.toString().toLowerCase().indexOf('qemu') >= 0 && !result.virtualHost) {
Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (result.model.toLowerCase() === 'virtualbox' \|\| result.model.toLowerCase() === 'kvm' \|\| result.model.toLowerCase() === 'virtual machine' \|\| result.model.toLowerCase() === 'bochs' \|\| result.model.toLowerCase().startsWith('vmware') \|\| result.model.toLowerCase().startsWith('droplet')) {
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (model.startsWith('qemu')) { result.virtualHost = 'KVM'; }
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (result.manufacturer.toLowerCase().startsWith('vmware') \|\| result.manufacturer.toLowerCase() === 'xen') {
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'VMware';
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'QEMU';
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: result.virtualHost = 'VMware';
Source: nsis-installer.exe, 00000000.00000003.2210859270.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IIAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTest
Source: nsis-installer.exe, 00000000.00000003.2342518948.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#Cd
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if (str.indexOf('vmware') >= 0) { result = 'VMware'; }
Source: nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: case 'vmware':
Source: nsis-installer.exe, 00000000.00000003.2342035458.00000000050CD000.00000004.00000020.00020000.00000000.sdmp, nsis-installer.exe, 00000000.00000003.2203535595.0000000006AD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: if (disksById.indexOf('_QEMU_') >= 0) {
Source: nsis-installer.exe, 00000000.00000003.2265396042.00000000050CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Screen Codec / VMware Video

Source: C:\Users\user\Desktop\nsis-installer.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\nsis-installer.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\nsis-installer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv \| %SYSTEMROOT%\System32\find.exe "SerenityTherapyInstaller.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq SerenityTherapyInstaller.exe" /FO csv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe C:\Windows\System32\find.exe "SerenityTherapyInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\SerenityTherapyInstaller" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --mojo-platform-channel-handle=2144 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1908 --field-trial-handle=1976,i,9719428906805688631,3168165960160999559,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --mojo-platform-channel-handle=1808 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Process created: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe "c:\users\user\appdata\local\programs\serenitytherapyinstaller\serenitytherapyinstaller.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\serenitytherapyinstaller" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaabgaaaaaaaaagaaaaaaaaaaiaaaaaaaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=944 --field-trial-handle=1916,i,2428637527847521265,8401632774138072131,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2

Source: nsis-installer.exe, 00000000.00000003.2261777652.00000000073D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ..\..\third_party\webrtc\modules\desktop_capture\win\window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_ProgmanWindowsDeleteStringWindowsCreateString
Source: SerenityTherapyInstaller.exe, 00000008.00000000.2365305161.0000000007205000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: ..\..\electron\shell\browser\ui\views\electron_views_delegate_win.ccGetAppbarAutohideEdgesShell_TrayWnd

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\resources\app.asar VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\SysWOW64\cmd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\SysWOW64\cmd.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Users\user\AppData\Roaming\SerenityTherapyInstaller\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation

Source: C:\Users\user\Desktop\nsis-installer.exe

0_2_0040338F

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\Discord
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordCanary
Source: C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordPTB

ID:	1427113
Product:	CloudBasic
Start time:	02:04:07
Start date:	17.04.2024
Sample:	nsis-installer.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	85aea19a596f59d0dbf368f99be6a139
SHA1:	9fd84c0780b6555cdeed499b30e5d67071998fbc
SHA256:	7a95214e7077d7324c0e8dc7d20f2a4e625bc0ac7e14b1446e37c47dff7eeb5b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\D3DSCache\5b4e827ea0c96efd\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx	data	FF6468020041A2905DFDF0F42E9CC291	B5D7DA2398F1AB3ECC180310E0C404B6829454AC	89FA303DDA0F3EE4EE70A6DBE66796F919253BB3A56B2E9C0299D31314743ECD
C:\Users\user\AppData\Local\D3DSCache\5b4e827ea0c96efd\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock	ASCII text, with no line terminators	F49655F856ACB8884CC0ACE29216F511	CB0F1F87EC0455EC349AAA950C600475AC7B7B6B	7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
C:\Users\user\AppData\Local\D3DSCache\5b4e827ea0c96efd\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val	Matlab v4 mat-file (little endian) (, numeric, rows 0, columns 16, imaginary	E2990B60D015106F81DF00E12D51AFC7	1BCC62E3DA98C88B312D4A746675F3B15A6ED09B	753610F18977E105FFE55B5227D2229F70EB53659CED4392AA3E9F599F9E9F27
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	data	EDEA8ED896EC4B9891DB52A0841FA36F	5A9DA179EC08D83E36AB3CBCC7D88475B10B06EE	D9257A3AA49B9319035822C4C989C0DA1257EBDE9660429A3ADACD632B5B32F9
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\LICENSE.electron.txt	ASCII text	4D42118D35941E0F664DDDBD83F633C5	2B21EC5F20FE961D15F2B58EFB1368E66D202E5C	5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\LICENSES.chromium.html	HTML document, ASCII text	312446EDF757F7E92AAD311F625CEF2A	91102D30D5ABCFA7B6EC732E3682FB9C77279BA3	C2656201AC86438D062673771E33E44D6D5E97670C3160E0DE1CB0BD5FBBAE9B
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\SerenityTherapyInstaller.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D05989CE9BE7EA67632845FA837299C9	359843B36A73C0D1D513B8684A2F83AF34CE96A2	DF4030369CA29744F74BC4932A4FFD0537D41796C9D913623DE0D6214EC39D91
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\chrome_100_percent.pak	data	ACD0FA0A90B43CD1C87A55A991B4FAC3	17B84E8D24DA12501105B87452F86BFA5F9B1B3C	CCBCA246B9A93FA8D4F01A01345E7537511C590E4A8EFD5777B1596D10923B4B
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\chrome_200_percent.pak	data	4610337E3332B7E65B73A6EA738B47DF	8D824C9CF0A84AB902E8069A4DE9BF6C1A9AAF3B	C91ABF556E55C29D1EA9F560BB17CC3489CB67A5D0C7A22B58485F5F2FBCF25C
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\d3dcompiler_47.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3B4647BCB9FEB591C2C05D1A606ED988	B42C59F96FB069FD49009DFD94550A7764E6C97C	35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\ffmpeg.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	1BB0E1140EF08440AD47D80B70DBF742	C2E4243BAD76B465B5AB39865AC023DB1632D6B0	C0D9EDDE3864D9450744F4BC526A98608B629AEED01C6647F600802E1B1CF671
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\icudtl.dat	data	D89CE8C00659D8E5D408C696EE087CE3	49FC8109960BE3BB32C06C3D1256CB66DDED19A8	9DFBE0DAD5C7021CFE8DF7F52458C422CBC5BE9E16FF33EC90665BB1E3F182DE
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libEGL.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E0A5D1A5D55DFFB55513ACB736CEF1C1	307FC023790AF5BF3D45678DE985E8E9F34896F7	AA5DA4005C76CFE5195B69282B2AD249D7DC2300BBC979592BD67315FC30C669
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\libGLESv2.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	44F7C21B6010048E0DCDC43D83EBD357	D0A4DFD8DBAE1A8421C3043315D78ECD84502B16	F6259A9B9C284EE5916447DD9D0BA051C2908C9D3662D42D8BBE6CE6D65A37DE
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\locales\af.pak	data	7E51349EDC7E6AED122BFA00970FAB80	EB6DF68501ECCE2090E1AF5837B5F15AC3A775EB	F528E698B164283872F76DF2233A47D7D41E1ABA980CE39F6B078E577FD14C97
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\locales\am.pak	data	2009647C3E7AED2C4C6577EE4C546E19	E2BBACF95EC3695DAAE34835A8095F19A782CBCF	6D61E5189438F3728F082AD6F694060D7EE8E571DF71240DFD5B77045A62954E
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\locales\ar.pak	data	47A6D10B4112509852D4794229C0A03B	2FB49A0B07FBDF8D4CE51A7B5A7F711F47A34951	857FE3AB766B60A8D82B7B6043137E3A7D9F5CFB8DDD942316452838C67D0495
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\locales\bg.pak	data	A19269683A6347E07C55325B9ECC03A4	D42989DAF1C11FCFFF0978A4FB18F55EC71630EC	AD65351A240205E881EF5C4CF30AD1BC6B6E04414343583597086B62D48D8A24
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\locales\bn.pak	data	5CDD07FA357C846771058C2DB67EB13B	DEB87FC5C13DA03BE86F67526C44F144CC65F6F6	01C830B0007B8CE6ACA46E26D812947C3DF818927B826F7D8C5FFD0008A32384
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\locales\ca.pak	data	D259469E94F2ADF54380195555154518	D69060BBE8E765CA4DC1F7D7C04C3C53C44B8AB5	F98B7442BEFC285398A5DD6A96740CBA31D2F5AADADD4D5551A05712D693029B
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\resources.pak	data	7D5065ECBA284ED704040FCA1C821922	095FCC890154A52AD1998B4B1E318F99B3E5D6B8	A10C3D236246E001CB9D434A65FC3E8AA7ACDDDDD9608008DB5C5C73DEE0BA1F
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\snapshot_blob.bin	data	916127734BC7C5B0DB478191A37FC19A	F9D868C2578F14513FCB95E109AEC795C98DBBA3	E19ED7FB96E19BB5BFE791DF03561D654EA5D52021C3403A2652F439A8D77801
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\v8_context_snapshot.bin	data	4F4D00247758C684C295243DDEDD2948	F8E8FC6C22FDE9DF1D60C329E38B38A85F96BB69	4EA84C4465EEA20B46E6DED30F711F1E0D61E15574D861B0210819ABD5E895E5
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vk_swiftshader.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	65A5705D95A0820740B3396851FF1751	A692A80BAFC41BA1B29EF19890F8465B3FB20DCB	4C4B935CBB320033F504A89B1EB0A4BCB176BBD46A5981153CB1F54DEB146A1C
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vk_swiftshader_icd.json	JSON data	8642DD3A87E2DE6E991FAE08458E302B	9C06735C31CEC00600FD763A92F8112D085BD12A	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
C:\Users\user\AppData\Local\Programs\SerenityTherapyInstaller\vulkan-1.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A947C5D8FEC95A0F24B4143CED301209	EBF3089985377A58B8431A14E22A814857287AAF	29CB256921A1B0F222C82650469D534CCDF038D1F395B3AAA9F1086918F5D3FA
C:\Users\user\AppData\Local\Temp\496db3a3-1a7f-4f1b-9fcf-efdaeed463f0.tmp.node	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	33D630BC67B4ED80F42CCA1683333DB8	6FDC5E0EED7748B6090A3B617891F234E3849918	4902D4F3A75B44B58130A696041B1C9D38F81E5625F5484D3EFFC65F03451A3E
C:\Users\user\AppData\Local\Temp\8643e452-b938-4f7e-b6f6-6c79c3287391.tmp.node	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	3B110985C6183E6484DD5CC9223934C5	EA9E2C108B25AF5452F6E5600680B4F711E73FAF	D9AFF04F4618B6302B60D11F849DB2FF02044B177A72AD2588ABC3C3CDD6EB78
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dincutv.eem.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ofq3lde.4wp.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qs4bf1f.sjc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4t5nvsem.qun.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brskhiv3.m0b.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cc21cv3h.uf5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drghpzag.zal.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvdjxw0x.ou2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxhqdpqg.1c5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iz5dm4ax.15d.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkrpzhpl.i5k.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljcdovsy.igu.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1i5acdv.0m3.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsmbg5ro.bxw.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orsy05su.rrt.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2lcpk1r.fll.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rf2mqf4h.lgx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbupstr1.qth.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjlpmqyv.1re.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vresv4fo.4ql.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\a5cccf86-07fd-48a4-a9cf-7cd44af85556.tmp.node	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	33D630BC67B4ED80F42CCA1683333DB8	6FDC5E0EED7748B6090A3B617891F234E3849918	4902D4F3A75B44B58130A696041B1C9D38F81E5625F5484D3EFFC65F03451A3E
C:\Users\user\AppData\Local\Temp\e10a37c2-8429-4258-9cd3-d725395e8215.tmp.node	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	3B110985C6183E6484DD5CC9223934C5	EA9E2C108B25AF5452F6E5600680B4F711E73FAF	D9AFF04F4618B6302B60D11F849DB2FF02044B177A72AD2588ABC3C3CDD6EB78
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\LICENSE.electron.txt	ASCII text	4D42118D35941E0F664DDDBD83F633C5	2B21EC5F20FE961D15F2B58EFB1368E66D202E5C	5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\LICENSES.chromium.html	HTML document, ASCII text	312446EDF757F7E92AAD311F625CEF2A	91102D30D5ABCFA7B6EC732E3682FB9C77279BA3	C2656201AC86438D062673771E33E44D6D5E97670C3160E0DE1CB0BD5FBBAE9B
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\SerenityTherapyInstaller.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D05989CE9BE7EA67632845FA837299C9	359843B36A73C0D1D513B8684A2F83AF34CE96A2	DF4030369CA29744F74BC4932A4FFD0537D41796C9D913623DE0D6214EC39D91
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\chrome_100_percent.pak	data	ACD0FA0A90B43CD1C87A55A991B4FAC3	17B84E8D24DA12501105B87452F86BFA5F9B1B3C	CCBCA246B9A93FA8D4F01A01345E7537511C590E4A8EFD5777B1596D10923B4B
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\chrome_200_percent.pak	data	4610337E3332B7E65B73A6EA738B47DF	8D824C9CF0A84AB902E8069A4DE9BF6C1A9AAF3B	C91ABF556E55C29D1EA9F560BB17CC3489CB67A5D0C7A22B58485F5F2FBCF25C
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\d3dcompiler_47.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3B4647BCB9FEB591C2C05D1A606ED988	B42C59F96FB069FD49009DFD94550A7764E6C97C	35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\ffmpeg.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	1BB0E1140EF08440AD47D80B70DBF742	C2E4243BAD76B465B5AB39865AC023DB1632D6B0	C0D9EDDE3864D9450744F4BC526A98608B629AEED01C6647F600802E1B1CF671
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\icudtl.dat	data	D89CE8C00659D8E5D408C696EE087CE3	49FC8109960BE3BB32C06C3D1256CB66DDED19A8	9DFBE0DAD5C7021CFE8DF7F52458C422CBC5BE9E16FF33EC90665BB1E3F182DE
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libEGL.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E0A5D1A5D55DFFB55513ACB736CEF1C1	307FC023790AF5BF3D45678DE985E8E9F34896F7	AA5DA4005C76CFE5195B69282B2AD249D7DC2300BBC979592BD67315FC30C669
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\libGLESv2.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	44F7C21B6010048E0DCDC43D83EBD357	D0A4DFD8DBAE1A8421C3043315D78ECD84502B16	F6259A9B9C284EE5916447DD9D0BA051C2908C9D3662D42D8BBE6CE6D65A37DE
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\af.pak	data	7E51349EDC7E6AED122BFA00970FAB80	EB6DF68501ECCE2090E1AF5837B5F15AC3A775EB	F528E698B164283872F76DF2233A47D7D41E1ABA980CE39F6B078E577FD14C97
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\am.pak	data	2009647C3E7AED2C4C6577EE4C546E19	E2BBACF95EC3695DAAE34835A8095F19A782CBCF	6D61E5189438F3728F082AD6F694060D7EE8E571DF71240DFD5B77045A62954E
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ar.pak	data	47A6D10B4112509852D4794229C0A03B	2FB49A0B07FBDF8D4CE51A7B5A7F711F47A34951	857FE3AB766B60A8D82B7B6043137E3A7D9F5CFB8DDD942316452838C67D0495
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\bg.pak	data	A19269683A6347E07C55325B9ECC03A4	D42989DAF1C11FCFFF0978A4FB18F55EC71630EC	AD65351A240205E881EF5C4CF30AD1BC6B6E04414343583597086B62D48D8A24
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\bn.pak	data	5CDD07FA357C846771058C2DB67EB13B	DEB87FC5C13DA03BE86F67526C44F144CC65F6F6	01C830B0007B8CE6ACA46E26D812947C3DF818927B826F7D8C5FFD0008A32384
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ca.pak	data	D259469E94F2ADF54380195555154518	D69060BBE8E765CA4DC1F7D7C04C3C53C44B8AB5	F98B7442BEFC285398A5DD6A96740CBA31D2F5AADADD4D5551A05712D693029B
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\cs.pak	data	04A680847C4A66AD9F0A88FB9FB1FC7B	2AFCDF4234A9644FB128B70182F5A3DF1EE05BE1	1CC44C5FBE1C0525DF37C5B6267A677F79C9671F86EDA75B6FC13ABF5D5356EB
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\da.pak	data	1A53D374B9C37F795A462AAC7A3F118F	154BE9CF05042ECED098A20FF52FA174798E1FEA	D0C38EB889EE27D81183A0535762D8EF314F0FDEB90CCCA9176A0CE9AB09B820
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\de.pak	data	8E6654B89ED4C1DC02E1E2D06764805A	FF660BC85BB4A0FA3B2637050D2B2D1AECC37AD8	61CBCE9A31858DDF70CC9B0C05FB09CE7032BFB8368A77533521722465C57475
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\el.pak	data	9528D21E8A3F5BAD7CA273999012EBE8	58CD673CE472F3F2F961CF8B69B0C8B8C01D457C	E79C1E7A47250D88581E8E3BAF78DCAF31FE660B74A1E015BE0F4BAFDFD63E12
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\en-GB.pak	data	D59E613E8F17BDAFD00E0E31E1520D1F	529017D57C4EFED1D768AB52E5A2BC929FDFB97C	90E585F101CF0BB77091A9A9A28812694CEE708421CE4908302BBD1BC24AC6FD
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\en-US.pak	data	5E3813E616A101E4A169B05F40879A62	615E4D94F69625DDA81DFAEC7F14E9EE320A2884	4D207C5C202C19C4DACA3FDDB2AE4F747F943A8FAF86A947EEF580E2F2AEE687
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\es-419.pak	data	7F6696CC1E71F84D9EC24E9DC7BD6345	36C1C44404EE48FC742B79173F2C7699E1E0301F	D1F17508F3A0106848C48A240D49A943130B14BD0FEB5ED7AE89605C7B7017D1
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\es.pak	data	A36992D320A88002697DA97CD6A4F251	C1F88F391A40CCF2B8A7B5689320C63D6D42935F	C5566B661675B613D69A507CBF98768BC6305B80E6893DC59651A4BE4263F39D
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\et.pak	data	A94E1775F91EA8622F82AE5AB5BA6765	FF17ACCDD83AC7FCC630E9141E9114DA7DE16FDB	1606B94AEF97047863481928624214B7E0EC2F1E34EC48A117965B928E009163
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\fa.pak	data	9D273AF70EAFD1B5D41F157DBFB94FDC	DA98BDE34B59976D4514FF518BD977A713EA4F2E	319D1E20150D4E3F496309BA82FCE850E91378EE4B0C7119A003A510B14F878B
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\fi.pak	data	D4B776267EFEBDCB279162C213F3DB22	7236108AF9E293C8341C17539AA3F0751000860A	297E3647EAF9B3B95CF833D88239919E371E74CC345A2E48A5033EBE477CD54E
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\fil.pak	data	3165351C55E3408EAA7B661FA9DC8924	181BEE2A96D2F43D740B865F7E39A1BA06E2CA2B	2630A9D5912C8EF023154C6A6FB5C56FAF610E1E960AF66ABEF533AF19B90CAA
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\fr.pak	data	0BF28AFF31E8887E27C4CD96D3069816	B5313CF6B5FBCE7E97E32727A3FAE58B0F2F5E97	2E1D413442DEF9CAE2D93612E3FD04F3AFAF3DD61E4ED7F86400D320AF5500C2
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\gu.pak	data	7B5F52F72D3A93F76337D5CF3168EBD1	00D444B5A7F73F566E98ABADF867E6BB27433091	798EA5D88A57D1D78FA518BF35C5098CBEB1453D2CB02EF98CD26CF85D927707
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\he.pak	data	6D787DC113ADFB6A539674AF7D6195DB	F966461049D54C61CDD1E48EF1EA0D3330177768	A976FAD1CC4EB29709018C5FFCC310793A7CEB2E69C806454717CCAE9CBC4D21
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\hi.pak	data	1766A05BE4DC634B3321B5B8A142C671	B959BCADC3724AE28B5FE141F3B497F51D1E28CF	0EEE8E751B5B0AF1E226106BEB09477634F9F80774FF30894C0F5A12B925AC35
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\hr.pak	data	8F9498D18D90477AD24EA01A97370B08	3868791B549FC7369AB90CD27684F129EBD628BE	846943F77A425F3885689DCF12D62951C5B7646E68EADC533B8B5C2A1373F02E
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\hu.pak	data	F5E1CA8A14C75C6F62D4BFF34E27DDB5	7ABA6BFF18BDC4C477DA603184D74F054805C78F	C0043D9FA0B841DA00EC1672D60015804D882D4765A62B6483F2294C3C5B83E0
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\id.pak	data	7B39423028DA71B4E776429BB4F27122	CB052AB5F734D7A74A160594B25F8A71669C38F2	3D95C5819F57A0AD06A118A07E0B5D821032EDCF622DF9B10A09DA9AA974885F
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\it.pak	data	D58A43068BF847C7CD6284742C2F7823	497389765143FAC48AF2BD7F9A309BFE65F59ED9	265D8B1BC479AD64FA7A41424C446139205AF8029A2469D558813EDD10727F9C
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ja.pak	data	D10D536BCD183030BA07FF5C61BF5E3A	44DD78DBA9F098AC61222EB9647D111AD1608960	2A3D3ABC9F80BAD52BD6DA5769901E7B9E9F052B6A58A7CC95CE16C86A3AA85A
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\kn.pak	data	C548A5F1FB5753408E44F3F011588594	E064AB403972036DAD1B35ABE9794E95DBE4CC00	890F50A57B862F482D367713201E1E559AC778FC3A36322D1DFBBEF2535DD9CB
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ko.pak	data	B4FBFF56E4974A7283D564C6FC0365BE	DE68BD097DEF66D63D5FF04046F3357B7B0E23AC	8C9ACDE13EDCD40D5B6EB38AD179CC27AA3677252A9CD47990EBA38AD42833E5
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\lt.pak	data	980C27FD74CC3560B296FE8E7C77D51F	F581EFA1B15261F654588E53E709A2692D8BB8A3	41E0F3619CDA3B00ABBBF07B9CD64EC7E4785ED4C8A784C928E582C3B6B8B7DB
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\lv.pak	data	E4F7D9E385CB525E762ECE1AA243E818	689D784379BAC189742B74CD8700C687FEEEDED1	523D141E59095DA71A41C14AEC8FE9EE667AE4B868E0477A46DD18A80B2007EF
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ml.pak	data	8B38C65FC30210C7AF9B6FA0424266F4	116413710FFCF94FBFA38CB97A47731E43A306F5	E8DF9A74417C5839C531D7CCAB63884A80AFB731CC62CBBB3FD141779086AC7D
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\mr.pak	data	C0EF1866167D926FB351E9F9BF13F067	6092D04EF3CE62BE44C29DA5D0D3A04985E2BC04	88DF231CF2E506DB3453F90A797194662A5F85E23BBAC2ED3169D91A145D2091
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ms.pak	data	9B3E2F3C49897228D51A324AB625EB45	8F3DAEC46E9A99C3B33E3D0E56C03402CCC52B9D	61A3DAAE72558662851B49175C402E9FE6FD1B279E7B9028E49506D9444855C5
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\nb.pak	data	AF0FD9179417BA1D7FCCA3CC5BEE1532	F746077BBF6A73C6DE272D5855D4F1CA5C3AF086	E900F6D0DD9D5A05B5297618F1FE1600C189313DA931A9CB390EE42383EB070F
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\nl.pak	data	181D2A0ECE4B67281D9D2323E9B9824D	E8BDC53757E96C12F3CD256C7812532DD524A0EA	6629E68C457806621ED23AA53B3675336C3E643F911F8485118A412EF9ED14CE
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\pl.pak	data	18D49D5376237BB8A25413B55751A833	0B47A7381DE61742AC2184850822C5FA2AFA559E	1729AA5C8A7E24A0DB98FEBCC91DF8B7B5C16F9B6BB13A2B0795038F2A14B981
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\pt-BR.pak	data	0D9DEA9E24645C2A3F58E4511C564A36	DCD2620A1935C667737EEA46CA7BB2BDCB31F3A6	CA7B880391FCD319E976FCC9B5780EA71DE655492C4A52448C51AB2170EEEF3B
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\pt-PT.pak	data	6A7232F316358D8376A1667426782796	8B70FE0F3AB2D73428F19ECD376C5DEBA4A0BB6C	6A526CD5268B80DF24104A7F40F55E4F1068185FEBBBB5876BA2CB7F78410F84
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ro.pak	data	99EAA3D101354088379771FD85159DE1	A32DB810115D6DCF83A887E71D5B061B5EEFE41F	33F4C20F7910BC3E636BC3BEC78F4807685153242DD4BC77648049772CF47423
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ru.pak	data	AB9902025DCF7D5408BF6377B046272B	C9496E5AF3E2A43377290A4883C0555E27B1F10F	983B15DCC31D0E9A3DA78CD6021E5ADD2A3C2247322ADED9454A5D148D127AAE
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\sk.pak	data	C6C7396DBFB989F034D50BD053503366	089F176B88235CCE5BCA7ABFCC78254E93296D61	439F7D6C23217C965179898754EDCEF8FD1248BDD9B436703BF1FF710701117A
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\sl.pak	data	D4BD9F20FD29519D6B017067E659442C	782283B65102DE4A0A61B901DEA4E52AB6998F22	F33AFA6B8DF235B09B84377FC3C90403C159C87EDD8CD8004B7F6EDD65C85CE6
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\sr.pak	data	CBB817A58999D754F99582B72E1AE491	6EC3FD06DEE0B1FE5002CB0A4FE8EC533A51F9FD	4BD7E466CB5F5B0A451E1192AA1ABAAF9526855A86D655F94C9CE2183EC80C25
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\sv.pak	data	502E4A8B3301253ABE27C4FD790FBE90	17ABCD7A84DA5F01D12697E0DFFC753FFB49991A	7D72E3ADB35E13EC90F2F4271AD2A9B817A2734DA423D972517F3CFF299165FD
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\sw.pak	data	39277AE2D91FDC1BD38BEA892B388485	FF787FB0156C40478D778B2A6856AD7B469BD7CB	6D6D095A1B39C38C273BE35CD09EB1914BD3A53F05180A3B3EB41A81AE31D5D3
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ta.pak	data	7006691481966109CCE413F48A349FF2	6BD243D753CF66074359ABE28CFAE75BCEDD2D23	24EA4028DA66A293A43D27102012235198F42A1E271FE568C7FD78490A3EE647
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\te.pak	data	F809BF5184935C74C8E7086D34EA306C	709AB3DECFF033CF2FA433ECC5892A7AC2E3752E	9BBFA7A9F2116281BF0AF1E8FFB279D1AA97AC3ED9EBC80C3ADE19E922D7E2D4
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\th.pak	data	2C41616DFE7FCDB4913CFAFE5D097F95	CF7D9E8AD3AA47D683E47F116528C0E4A9A159B0	F11041C48831C93AA11BBF885D330739A33A42DB211DACCF80192668E2186ED3
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\tr.pak	data	3A858619502C68D5F7DE599060F96DB9	80A66D9B5F1E04CDA19493FFC4A2F070200E0B62	D81F28F69DA0036F9D77242B2A58B4A76F0D5C54B3E26EE96872AC54D7ABB841
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\uk.pak	data	EE70E9F3557B9C8C67BFB8DFCB51384D	FC4DFC35CDE1A00F97EEFE5E0A2B9B9C0149751E	54324671A161F6D67C790BFD29349DB2E2D21F5012DC97E891F8F5268BDF7E22
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\ur.pak	data	FF0A23974AEF88AFC86ECC806DBF1D60	E7BAE97CBB8692A0D106644DFAA9B7D7EA6FCEF0	F245AB242AAFEEF37DB736C780476534FAD0706AA66DCB8B6B8CD181B4778385
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\vi.pak	data	3FE6F90F1F990AED508DEDA3810CE8C2	3B86F00666D55E984B4ACA1A5E8319FFA8F411FF	5EEBB23221AEBCF0BE01BFC2695F7DD35B17F6769BE1E28E5610D35C9717854B
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\zh-CN.pak	data	20F315D38E3B2EDC5832931E7770B62A	2390BD585DEC1E884873454BB98B6F1467DCF7BB	53A803724BBF2E7F40AAB860325C348F786EECA1EA5CA39A76B4C4A616E3233F
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\locales\zh-TW.pak	data	524711882CBFB5B95A63EF48F884CFF0	1078037687CFC5D038EEB8B63D295239E0EDC47A	9E16499CD96A155D410C8DF4C812C52FF2A750F8C4DB87FD891C1E58C1428C78
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\resources.pak	data	7D5065ECBA284ED704040FCA1C821922	095FCC890154A52AD1998B4B1E318F99B3E5D6B8	A10C3D236246E001CB9D434A65FC3E8AA7ACDDDDD9608008DB5C5C73DEE0BA1F
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\resources\app.asar	data	47CF1F17D6E55A7CCC07DCB137978CA2	5584A6549BB0530631C94410F4F1D2FDAA654450	B1DEA4DF87B3F28976560A250AEF99C27D182C08F61A4CF0F41BF08B5ED2B06A
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\resources\elevate.exe	PE32 executable (console) Intel 80386, for MS Windows	792B92C8AD13C46F27C7CED0810694DF	D8D449B92DE20A57DF722DF46435BA4553ECC802	9B1FBF0C11C520AE714AF8AA9AF12CFD48503EEDECD7398D8992EE94D1B4DC37
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\snapshot_blob.bin	data	916127734BC7C5B0DB478191A37FC19A	F9D868C2578F14513FCB95E109AEC795C98DBBA3	E19ED7FB96E19BB5BFE791DF03561D654EA5D52021C3403A2652F439A8D77801
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\v8_context_snapshot.bin	data	4F4D00247758C684C295243DDEDD2948	F8E8FC6C22FDE9DF1D60C329E38B38A85F96BB69	4EA84C4465EEA20B46E6DED30F711F1E0D61E15574D861B0210819ABD5E895E5
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vk_swiftshader.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	65A5705D95A0820740B3396851FF1751	A692A80BAFC41BA1B29EF19890F8465B3FB20DCB	4C4B935CBB320033F504A89B1EB0A4BCB176BBD46A5981153CB1F54DEB146A1C
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vk_swiftshader_icd.json	JSON data	8642DD3A87E2DE6E991FAE08458E302B	9C06735C31CEC00600FD763A92F8112D085BD12A	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\7z-out\vulkan-1.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A947C5D8FEC95A0F24B4143CED301209	EBF3089985377A58B8431A14E22A814857287AAF	29CB256921A1B0F222C82650469D534CCDF038D1F395B3AAA9F1086918F5D3FA
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\SpiderBanner.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	17309E33B596BA3A5693B4D3E85CF8D7	7D361836CF53DF42021C7F2B148AEC9458818C01	996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\StdUtils.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	C6A6E03F77C313B267498515488C5740	3D49FC2784B9450962ED6B82B46E9C3C957D7C15	B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0D7AD4F45DC6F5AA87F606D0331C6901	48DF0911F0484CBE2A8CDD5362140B63C41EE457	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\app-32.7z	7-zip archive data, version 0.4	A654004DFF31A3BEAEEDBDF4960B412F	2F731E9EF3FED7E900A2257C1D83D7D77F4111D9	0136D087E4FDF1EF2C0EF9587283222DF4A89C874AD42675A6260935CAB9FA42
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsExec.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EC0504E6B8A11D5AAD43B296BEEB84B2	91B5CE085130C8C7194D66B2439EC9E1C206497C	5D9CEB1CE5F35AEA5F9E5A0C0EDEEEC04DFEFE0C77890C80C70E98209B58B962
C:\Users\user\AppData\Local\Temp\nss10B5.tmp\nsis7z.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	80E44CE4895304C6A3A831310FBF8CD0	36BD49AE21C460BE5753A904B4501F1ABCA53508	B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
C:\Users\user\AppData\Roaming\SerenityTherapyInstaller\1508d4cb-6eb4-4c1c-911b-6a8c7e0b4058.tmp	JSON data	20CB668867F9AE7D3ECA073977AA2721	9E87A73CB243558104B5C0B879A0C2C508706059	74DF97BFE34E70E423E9A04FD929B93F8F6387795603AF3EA99DACDCEDE8043D
C:\Users\user\AppData\Roaming\SerenityTherapyInstaller\Local State (copy)	JSON data	20CB668867F9AE7D3ECA073977AA2721	9E87A73CB243558104B5C0B879A0C2C508706059	74DF97BFE34E70E423E9A04FD929B93F8F6387795603AF3EA99DACDCEDE8043D

Windows Analysis Report
nsis-installer.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report nsis-installer.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
nsis-installer.exe