Malware Analysis Report

2024-10-16 05:03

Sample ID 240809-ye55hsxclj
Target https://github.com/ThomsenCoding/FiveM-Cheat-Scanner
Tags
discovery dropper
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/ThomsenCoding/FiveM-Cheat-Scanner was found to be: Likely malicious.

Malicious Activity Summary

discovery dropper

Download via BitsAdmin

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Blocklisted process makes network request

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 19:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 19:42

Reported

2024-08-09 19:56

Platform

win11-20240802-en

Max time kernel

600s

Max time network

437s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ThomsenCoding/FiveM-Cheat-Scanner

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\nodejs\node.exe N/A
N/A N/A C:\Program Files\nodejs\node.exe N/A
N/A N/A C:\Program Files\nodejs\node.exe N/A
N/A N/A C:\Program Files\nodejs\node.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\__init__.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\packaging\__init__.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\process-release.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\safer-buffer\tests.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\example\table.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\corepack\dist\yarn.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\yarnpkg.ps1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\err-code\index.umd.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\packaging\specifiers.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\dir.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\tag.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\pack.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-unstar.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\bin\lib\options.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\name-from-folder\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\index.mjs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\glob.d.ts.map C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\jackspeak\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\example\align.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\archy\examples\beep.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\path-scurry\dist\cjs\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\passthrough.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\shebang-regex\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\parse-field.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\buffer\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\processor.d.ts C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\util\getProp.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\common\receivebuffer.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\progress-bar.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\has-magic.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\hasown\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\lib\utils\update-notifier.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-unpublish.1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\man-target.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-config.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-query.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\input.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\ours\primordials.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\peer-entry-sets.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\exponential-backoff\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\lib\utils\pulse-till-done.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\ansi-regex\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\walker.d.ts.map C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmexec\README.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\rsort.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-help-search.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\body.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\deduper.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\mkdir.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-license\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\promzard\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\vuln.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\package-json\lib\normalize.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\signer\fulcio\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\source\vendor\supports-color\index.js C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIAF66.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4CE28C39DF34F1CE.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58a8af.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{DA5C7599-681B-43F8-B8A6-20D986C704F9} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{DA5C7599-681B-43F8-B8A6-20D986C704F9}\NodeIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58a8af.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{DA5C7599-681B-43F8-B8A6-20D986C704F9}\NodeIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID39B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58a8b1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID5A0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAF46.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFB8DA97A758743870.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB2E2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB42B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF98330FEBBB6CDE7A.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF182C2EB5AC031484.TMP C:\Windows\system32\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b38cc7aac7e825c30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b38cc7aa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b38cc7aa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db38cc7aa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b38cc7aa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\EnvironmentPath C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\Net\1 = "C:\\Windows\\system32\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\NodeRuntime C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\PackageName = "node_installer.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\EnvironmentPathNpmModules = "EnvironmentPath" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\PackageCode = "048BAA490FC47FE48B7B9F53EE26ADCC" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\ProductIcon = "C:\\Windows\\Installer\\{DA5C7599-681B-43F8-B8A6-20D986C704F9}\\NodeIcon" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\corepack C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\DocumentationShortcuts C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\9957C5ADB1868F348B6A029D687C409F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\LastUsedSource = "n;1;C:\\Windows\\system32\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\npm C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\ProductName = "Node.js" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\Version = "336265217" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\EnvironmentPathNode = "EnvironmentPath" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F C:\Windows\system32\msiexec.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\FiveM-Cheat-Scanner-main.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4984 wrote to memory of 4444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 4444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ThomsenCoding/FiveM-Cheat-Scanner

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa985c3cb8,0x7ffa985c3cc8,0x7ffa985c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_FiveM-Cheat-Scanner-main.zip\FiveM-Cheat-Scanner-main\FiveM-Cheat-Scanner\start.bat" "

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer "Téléchargement_NodeJS" https://nodejs.org/dist/v20.11.1/node-v20.11.1-x64.msi "C:\Windows\system32\node_installer.msi"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Windows\system32\node_installer.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding CE997AAE803C312947DF7F4A6E38916D C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding B61854EF567E57D3B228901C450E0D61

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 5591447CDB912196491907A4F5E2BDB0 E Global\MSI0000

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 122548CB2649925B92DA8C496CA01DB5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_FiveM-Cheat-Scanner-main.zip\FiveM-Cheat-Scanner-main\FiveM-Cheat-Scanner\start.bat" "

C:\Program Files\nodejs\node.exe

node -v

C:\Program Files\nodejs\node.exe

node checker.js

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_FiveM-Cheat-Scanner-main.zip\FiveM-Cheat-Scanner-main\FiveM-Cheat-Scanner\start.bat" "

C:\Program Files\nodejs\node.exe

node -v

C:\Program Files\nodejs\node.exe

node checker.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,583432756496974721,18072407057565920124,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4804 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 140.82.112.22:443 collector.github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 140.82.112.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 20.26.156.216:443 codeload.github.com tcp
N/A 224.0.0.251:5353 udp
US 104.20.22.46:443 nodejs.org tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5578283903c07cc737a43625e2cbb093
SHA1 f438ad2bef7125e928fcde43082a20457f5df159
SHA256 7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2
SHA512 3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

\??\pipe\LOCAL\crashpad_4984_EJZWBYLMFWKMNFCP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0487ced0fdfd8d7a8e717211fcd7d709
SHA1 598605311b8ef24b0a2ba2ccfedeecabe7fec901
SHA256 76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571
SHA512 16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 83ac763498cd57ced3364a9ddd300bbc
SHA1 06a06c45e2cc8d7cb7eb2d2e93664f0217283b2f
SHA256 bdd37ce6e95d0f97355863b78bc06502f5ab7ddd64793cd37d7092a1252172d1
SHA512 4642f7b7c750764bb11a0f6cea84e66f19969e1a9c72d6656dd2979bc5e1bb23752d0b900d2a2d74dea95c5aded44daad60836af3dd11a3ac308c20e3fea21b0

C:\Users\Admin\Downloads\FiveM-Cheat-Scanner-main.zip:Zone.Identifier

MD5 9be97c2b4b3d1a9ceb8df926e4c12278
SHA1 1e364726c2b97acefa4804a58a9f7adfe0d86c4e
SHA256 74f670240f30079f021c434c356eb66a09dfde9333f16e54200e9b76dbd4cdc1
SHA512 bbc52d48e36aeb6e0bdc2712815f0f94fa9195b4d7d76243462c7685aee6980a35e57e8ec0f66314da5b8548f17eca06bf51ad6346a2d7a34f1785e02d4a7656

C:\Users\Admin\Downloads\FiveM-Cheat-Scanner-main.zip

MD5 9d8cd9922a930376b6198959f15a0b04
SHA1 f8e643109767e28e220ec974588d83dcca0acf46
SHA256 e9dd1c9b7bbefaa2b2343e6bf2ea03b568a50a26537cf91f672d748ff251cde5
SHA512 8505024ee6a31ffc45ef060749d4f2f8e26039b25f507e425f50ac12ef3120fcb1cccf4153cfa6925be34054010babeb66aff6c5a1a224eca12b3c064a11e902

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 edbdd6620c024cf7fd4a4a20c789e648
SHA1 4c1eb2ef8fa2fe49eb9dc26a9b28d65de6007098
SHA256 3e0e5c6dbe3a382f0869ec6eb1cba648add125c11345dff6ffae1a2ed8b51670
SHA512 777db4b974a4f54a875ba388564536230b94ab868d08af8e4f2a5f0b4ef4e5e0ce936de9e01fcf444b47711756f9c3424996f634d20d358976a2907e657299ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2d0dd152e28a7f2dec3a2b475778a2d2
SHA1 28ea452e09c1b5041b18b0a525ba0d5ebf9e819c
SHA256 ea38f7f52525cf948b84b26cb69becd29e20e7602d1f319f98c3ef0254d48a2d
SHA512 fa2dd95a1d91081a89edcc68007ba54053591f0a07814614bbac30d5d72a29ff0c7b2c7a232dd46b9bca2f31af75dc239e6320d6ceb379825c2c2a80e904008d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bbd156ad85499deab28b27baabeef499
SHA1 a818a4f5393d6323e378ee8a4a11c16cdb99c389
SHA256 15c8504837a732f9dd60b04a17a347c6840611ec0b50e5169215fe49380a1a52
SHA512 2d353ca827c87c9a68f786b952db7eda48dc71dc8a5bacd9774fe31ec89e8ac698054915c5be95befea59622a201f54cbc341ed6484803779b58bc25c3dcbb37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a8fc3c91855d702193fa5e78cea63bab
SHA1 cc8cfa8eeac6613bfb10c0a440091cee7ca3e18b
SHA256 7cf756d44ceb6c6ce622580016fc60d9e8260d4b0e1d6fa5be768ac25132e936
SHA512 230b82e7887ccabd85bee3246b10077af6af121641c3348c7cb469dcf5f0d24ddce7f0d6dda611d2f41a2160ef66a8db4857987724cc1beac07adad44988da97

C:\Users\Admin\AppData\Local\Temp\MSI57CF.tmp

MD5 688822a69ee8f8e24181504edb51aa47
SHA1 ceb32e307a5b7e73ab739f659ecf193ac035a6d1
SHA256 de921f3c5c5e50a362cf6df681bfe72d166968a212d4d73a20e346161d5151d8
SHA512 d936a4323b5738b3d40a402c0e2718e3f65e538f164bd7440bef6bca1666de48d41b6ef954e68396e8cacb79c54f2acf318b5edcaea92a7f8a9a110fc6813a81

C:\Users\Admin\AppData\Local\Temp\MSI585D.tmp

MD5 80bebea11fbe87108b08762a1bbff2cd
SHA1 a7ec111a792fd9a870841be430d130a545613782
SHA256 facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1
SHA512 a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 11b3969edd7fd2423328acf8a047edca
SHA1 427208bef85a3acb7c9455c959fdc0566b4a185a
SHA256 d5cd2cc7ae7254789bd4ac6ddd5d05f181eb06adfe40e828e07eb22f2c4c50d5
SHA512 d5fa86049c4d3235f45b0caf94d20ec1d54823edce154a1a51402c0731bfd0f93fd1bea6408a1093b213020a14bf8701578f44f956891ed1359d93b7818d641a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

MD5 305087cacc914341ed0fd39d8783df84
SHA1 7519911764bf9fd3d7048db980d7714ccacc2d6f
SHA256 6acfcda4a92f933011defd4809e36c749ab77f1c2588385b1d2a340daded90a5
SHA512 77c99a4e19c1ef91a90b5ad4244b71fdc99b5ccddd38ec638a467f3dd38998c7cd3a7f1eea0e61d27dfd11bc12c4dcab6b704919555ef690fb6caa162f9bcfe7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

MD5 1c385b44d41ad0bc91feb23dfb253851
SHA1 b06f5b168e0bbeb69c6d3b2c7054b1f8059d5b8e
SHA256 32d7f92ffdef95bb2b880685764ab0824d2efbcca8de7ac935a7a12c3eba665e
SHA512 4a2ff602e02affe84fb97ed995af55854e496ed04992ebe1bb76304c44c07fe90c0cc16ba951ce24dff30ca58cfe9f2fb45863d53b27b9d33c5ceced03233460

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 d0e23efe553d18c9b9e018495135e75b
SHA1 48804ccc923554a9ab179aebf171ea1ec3671b32
SHA256 a95f9a24fe0812ebf38f541986baa2df3f38db1f5e983c1c383ecf2f78df7620
SHA512 0a50092b14ab9145c063eb1d38367ebb11dab69a3a2f1736ad4358e2b19fa4334261047ec9e1e665e95124430c791f3828507adb7119af7da213c19866a80e24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 83661d7a98e7dc031c49940e84f75374
SHA1 9e95c7ea573304df700f32b4c23e64d3a4a9fbb1
SHA256 23fe17c5acb84324e535f6d89c7aa9ce5abf1b147a29343234b20388c3b95840
SHA512 93d183db76df145482df2ad935b049d33018ddeb2e365ef967720054b5efe025577ec80fc715b853e4bc3a4316c6c6e5ece3f44be6e87290b39ffe9429ca277b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 e33a85ef892402bbe9de308183ddc016
SHA1 5bc8ae61a5b21b112fedb5d6a3688e2f732ad8c5
SHA256 e330e9d3928dbeaee6f18c0c90d415c55fd68e49c3bb68aab6ad4f375c95786f
SHA512 590e3ebca2453ec3a682fe7d7a7a734ff07f6682cb8f6c4e8f2a6abee1d4a20ad38cc8c685e962809dd123f9c3c1cde4d366fdf657fec9514769978befb1bdf9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a6d346f58cbec0a6e4015327b25f1537
SHA1 750056e65a8b1c20b1a6051f5adcdf35821a6ac1
SHA256 1a715b1b5b62ef83ca8c62a18eddb3b5b6b738be2c654ab7a38cf22fdc8bea56
SHA512 74e563217a28cd6427739731f51ba2e35ee060c8ae6959d458d06a0416e17ffc6a49f8d0bbcb8d17cef144a45c36eb9f3b92305389ab0cfc5043f530d9f28d89

C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\utils\types.js

MD5 24563705cc4bb54fccd88e52bc96c711
SHA1 871fa42907b821246de04785a532297500372fc7
SHA256 ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13
SHA512 2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

MD5 d2cf52aa43e18fdc87562d4c1303f46a
SHA1 58fb4a65fffb438630351e7cafd322579817e5e1
SHA256 45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA512 54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\node_modules\strip-ansi\license

MD5 5ad87d95c13094fa67f25442ff521efd
SHA1 01f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA256 67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA512 7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

C:\Program Files\nodejs\node_modules\npm\node_modules\exponential-backoff\LICENSE

MD5 0ba5044c64ef53cb0189c9546081e228
SHA1 c8bc7df08db9dd3b39c2c2259a163a36cf2f6808
SHA256 49bbe9114e49214df2ccc324cb3ac8d1d1aa1c3a0947f94c286765e86647b32e
SHA512 a7ce8c7f21c031e4e6d037f4eabe8b200b8f1470731c05ea86028171f2964310dadc5def814d2d65164fbd23d720ecfd4d479ff5e269e519c787b4db96c7724f

C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md

MD5 2916d8b51a5cc0a350d64389bc07aef6
SHA1 c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256 733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512 508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE

MD5 b020de8f88eacc104c21d6e6cacc636d
SHA1 20b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA256 3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA512 4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

C:\Program Files\nodejs\node_modules\npm\node_modules\ip-regex\license

MD5 b862aeb7e1d01452e0f07403591e5a55
SHA1 b8765be74fea9525d978661759be8c11bab5e60e
SHA256 fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f
SHA512 885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

MD5 072ac9ab0c4667f8f876becedfe10ee0
SHA1 0227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA256 2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512 f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-sized\node_modules\minipass\LICENSE

MD5 d7c8fab641cd22d2cd30d2999cc77040
SHA1 d293601583b1454ad5415260e4378217d569538e
SHA256 04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512 278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-sized\node_modules\minipass\index.js

MD5 bc0c0eeede037aa152345ab1f9774e92
SHA1 56e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA256 7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA512 5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-sized\node_modules\minipass\package.json

MD5 d116a360376e31950428ed26eae9ffd4
SHA1 192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256 c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA512 5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

MD5 7428aa9f83c500c4a434f8848ee23851
SHA1 166b3e1c1b7d7cb7b070108876492529f546219f
SHA256 1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512 c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\cjs\package.json

MD5 56368b3e2b84dac2c9ed38b5c4329ec2
SHA1 f67c4acef5973c256c47998b20b5165ab7629ed4
SHA256 58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd
SHA512 d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\mjs\package.json

MD5 2324363c71f28a5b7e946a38dc2d9293
SHA1 7eda542849fb3a4a7b4ba8a7745887adcade1673
SHA256 1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4
SHA512 7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

\??\Volume{aac78cb3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{19a85a61-2be4-4999-81bc-51019f41950d}_OnDiskSnapshotProp

MD5 b8e57521abc41131eb0b0dd1c894a0b1
SHA1 789f443f2ae851821251f67b7ae082024bc02862
SHA256 e2ce53e0133414a351746dfd375457a3a0adc716bb70a29ea438c0e3f9491d19
SHA512 20a9b8d616490d5b02f12ed6e8c2d7b02a8c75d10446ab5e0e38352b595f607def2cb8e6c747ce0774a6260803ac267722f8535dedfc252f3c65ec3ed7b58dae

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 efacd458991fe130d40e1906fec91ebd
SHA1 430e0be770337f6a2df574fd7c0dc765c27e6610
SHA256 6c5bffa7481c075225a42bde66aac13abfa37eb9f4848c131da3123e3016b98a
SHA512 7a3d27d62327b95e941a2adf614a3ae14cc5b4642877834bd757c58aac7038773d0b727ee9b89aad393a159d59890e7bf4b540bc4e80b8daa6b83a0b09899192

C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\node_modules\ansi-regex\index.js

MD5 a20c210b6e40f32c74581046a72637fa
SHA1 ff290036409fd67472b634e36afca346db5c2ffc
SHA256 4c603af42ee01f6fa43775a6162f6dbbcca897bc2912d19db2974992190363cf
SHA512 0cd4fbdf682b6e3e735ee390c463ffa9aa5dd22d38ab312a0731676e95bac37dab9f0d638d8f9c1ab6cdafd15f04ea2864c8702e82f18ca70f86dbb03549ce4d

C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\node_modules\ansi-regex\package.json

MD5 f7fb47cf242d265b2497e3a6ac213617
SHA1 1a09448abf0524c9342c5723b60ba3810af10326
SHA256 a1b5721b315f84a5e2e28f3209eb92831537eb778e9e978502696e6235d71644
SHA512 6118a9b8efa277e46c065a097a4c9f18623ebee5cd6c170015bc40a222e2ffd2e6e72ce2c3c259a79698901a5f04b4b6b1980541e136ac1ecfb08f23513cd2a7

C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\node_modules\strip-ansi\index.js

MD5 3f03b6fe5c918ae1b49ed36f4581762f
SHA1 1dc3afa3b08728017bdff8105d7424fc8951902f
SHA256 ee7638c432f16042a7c64c40b4bf326e44b7d6d9b7add19806637240c246a6a6
SHA512 b271511f7fd29719d06dbd162ac5259355c682675316aa4c8c513f30f8c390974948a4c02f383a43757c66c2247047f80dc88c2ebf261d9b3dfe0138f1a3c7d7

C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\node_modules\strip-ansi\package.json

MD5 d59bf9acae68d3368565b2c4302d1c82
SHA1 dc8dd3a6928631b912f6dbb9471b43e9a15117ae
SHA256 dec16b172e99984a3c913a9ec30d854da58467ae1fbde1b43a1d8f9562b80ed8
SHA512 b74620e60f75f889654c57c5a8c3a1a69d003523f78a539085ab521c599e905c0038e958533d6a38643d6ecee3dfed97190e595f1309d775fd41e29487162a5f

C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

MD5 9841536310d4e186a474dfa2acf558cd
SHA1 33fabbcc5e1adbe0528243eafd36e5d876aaecaa
SHA256 5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9
SHA512 b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

MD5 cf8f16c1aa805000c832f879529c070c
SHA1 54cc4d6c9b462ad2de246e28cd80ed030504353d
SHA256 77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573
SHA512 a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

MD5 8ffc28655646cd69abee60c0ff8f7626
SHA1 b9b32e3fa1d5d42c60bf4a4035c1bd5fca9cb75c
SHA256 490ca1df20d922f35de50f301279b0b55f3096cf54cbc58c4954297db056aae8
SHA512 295f8b9c2dea878e260ba98402aee8dffe180213b3edf06de12297571843c959b1f582e38769b8b066ef1a1fc1cf4af3a70bced1dac20c755fd5a5509a6bc5c0

C:\Config.Msi\e58a8b0.rbs

MD5 dd96556329840f42cf1fe7c1e6aa3902
SHA1 f473d9de12dfa35cd8ff94cdef2aa6ec4e222d34
SHA256 0e7c6d8bd7bb853068ea9794d9a4b8eeb79f3edb0482a0834359f7df6c3d91e4
SHA512 a43a9a0a82529fbfdbf68272312644a0faee492ba162d0d3c1e418ee6fb75cdfa4901ad0d3e98df596ecca19372fb6052a54d60b9a2eb2a7f77feb1e4b84cbe7

C:\Windows\Installer\MSID5A0.tmp

MD5 74528af81c94087506cebcf38eeab4bc
SHA1 20c0ddfa620f9778e9053bd721d8f51c330b5202
SHA256 2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34
SHA512 9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

C:\Windows\Installer\e58a8af.msi

MD5 ddc3834ba30017c8b403f48f802c2566
SHA1 7460683828f21069a33e694801a85557434cefcf
SHA256 c54f5f7e2416e826fd84e878f28e3b53363ae9c3f60a140af4434b2453b5ae89
SHA512 94bb61b403d42ba362d470809e7d4167e1df55280ed5daf96c65861ab031718dce1851838d4b7e3cc873da8dda7b461c39b91edff9af4e7ad6f697c46528ffdc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 850f5cc92206f70c94a88d2be9595411
SHA1 44e2b535ba48ad8181f57c7922583d264395b5b5
SHA256 c2e554ccfa03b6842589794a695f78ed8e55a2f8e813e26d2944a085e274e58a
SHA512 016ba5bc8ec74607e6b63bb8727312239cbf78b26edbeb21a683778f6653e14b9f90e770968b334b60610490af90797ef4de4eecfbf43b397a62312ed309e0fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 be8ed615204deb4958d231fff848b5d3
SHA1 16d47157a249d607deddc49ae9d88a6eff13caff
SHA256 7dd1cb2797927f5098bf3042e34b74f84a56c4c8f5064d78166de89ccbd5870d
SHA512 17617a8fc8e0e17cd0c8eb0b2ab9da25a7bc7e6320ddfbaaa158ce66191c47c9b5d2e2d1847aa63ad9b284a713a6075545e91e3210a98b084eadacf1042cf6bb