b0d7b86568b29605b5b9209be95f88d7033d6ab8ae9c6c1a100b44b8ea9e02fb

Analysis

max time kernel
118s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe
Size

111.9MB
MD5

2f89be8512ad3718014b6d0968860c7a
SHA1

ba92697c07d56ad62865b39a732282c32da0169a
SHA256

cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269
SHA512

10b215a47d905c33ad3622a863f7b247e1245800beba0ee0cc895f691c9258487bdc30f1825f1da509463c95df6860fed6279f667c68de25063c77e7570cb8a2
SSDEEP

393216:ePzBr1SCF0LIUYuFBmY54NEZPb+ON85c9ld3:ebBrxM5YuF4jNePbHoWld3

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmpYTDSetup.exeytd.exe

pid process

2072 cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
2412 YTDSetup.exe
1904 ytd.exe

pid	process
2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
2412	YTDSetup.exe
1904	ytd.exe

Loads dropped DLL 45 IoCs

Processes:

cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.execd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmpYTDSetup.exeytd.exeWerFault.exe

pid	process
2416	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe
2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
1904	ytd.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 55 IoCs

Processes:

YTDSetup.exeytd.exe

description	ioc	process
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.1904	ytd.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\LICENSE	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\manual.bat	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll	YTDSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

912 1904 WerFault.exe ytd.exe

pid	pid_target	process	target process
912	1904	WerFault.exe	ytd.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.execd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmpYTDSetup.exeIEXPLORE.EXEytd.exeIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YTDSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEytd.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434094598"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	ytd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "340"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "99"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a1b2c15315db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "340"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "60"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ytddownloader.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ytddownloader.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "340"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F91622B1-8146-11EF-B4B0-E62D5E492327} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "99"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000b9fee158fe4cc5ae10ed8b8888d2e704195cfb8e5b15185c3df130dc34dd2ec4000000000e8000000002000020000000fb0eb6dfdc564c58c33f697e73e6e9720b6f3a0aaa5c933b2e8c00818a2e42b690000000416c97b50ecf9c5a97b91f86b54b54ea5853f472555b2f4d72282993b0fd1bad3c1552f399296cff2d88fd49faecc806a9021f51f3057fdfd7f2d33d39bf685158fe4d9d90c370a0a0272ebd27b7ec44e5fe601d6d571bc9bb64942f94aab369a7d1d1b076ef8171d39aa9555f04f79ff9835def53fdc8ae982247369918b712a9140f41c0b6a9f87cc80d4151842b68400000000b6464656baaa61e63792c605566078eae577ee058dc902d89d461638508b8cc591f8756dd79741177d4509e3d4f7b6a5492f63c308cfa9e4320827de343ef94	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "99"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000e70ba86eace7beae1d48ebb632675933f92591931a7167d230ff08fd97522c10000000000e8000000002000020000000b1a0518e473844730f9f4fd4a7ce01568f04a1bba9196bbfe51e32ff34c9d1fc200000002ff96b4e5a4e592719cd5c31949b51166f5672ee617f6a77cfb6db67e9600f7f400000003023c7b13ed15c2a5321eb00302ee3d74ff710d343f742288c94979eccab5e3e3cb24d7db07441f3bc17cb31261d1af87b39f6b418e38374576a6f4d56d308de	iexplore.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ytd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	ytd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ytd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ytd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ytd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

YTDSetup.exeytd.exe

pid process

2412 YTDSetup.exe
2412 YTDSetup.exe
2412 YTDSetup.exe
1904 ytd.exe
1904 ytd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeytd.exe

pid process

1188 iexplore.exe
1904 ytd.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ytd.exe

pid process

1904 ytd.exe

pid	process
2412	YTDSetup.exe
2412	YTDSetup.exe
2412	YTDSetup.exe
1904	ytd.exe
1904	ytd.exe

pid	process
1904	ytd.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEytd.exeIEXPLORE.EXE

pid	process
1188	iexplore.exe
1188	iexplore.exe
1304	IEXPLORE.EXE
1304	IEXPLORE.EXE
1904	ytd.exe
1904	ytd.exe
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.execd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmpYTDSetup.exeexplorer.exeiexplore.exeexplorer.exeytd.exe

description	pid	process	target process
PID 2416 wrote to memory of 2072	2416	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072	2416	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072	2416	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072	2416	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072	2416	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072	2416	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072	2416	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2072 wrote to memory of 2412	2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp	YTDSetup.exe
PID 2072 wrote to memory of 2412	2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp	YTDSetup.exe
PID 2072 wrote to memory of 2412	2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp	YTDSetup.exe
PID 2072 wrote to memory of 2412	2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp	YTDSetup.exe
PID 2072 wrote to memory of 2412	2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp	YTDSetup.exe
PID 2072 wrote to memory of 2412	2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp	YTDSetup.exe
PID 2072 wrote to memory of 2412	2072	cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp	YTDSetup.exe
PID 2412 wrote to memory of 2252	2412	YTDSetup.exe	explorer.exe
PID 2412 wrote to memory of 2252	2412	YTDSetup.exe	explorer.exe
PID 2412 wrote to memory of 2252	2412	YTDSetup.exe	explorer.exe
PID 2412 wrote to memory of 2252	2412	YTDSetup.exe	explorer.exe
PID 2516 wrote to memory of 1188	2516	explorer.exe	iexplore.exe
PID 2516 wrote to memory of 1188	2516	explorer.exe	iexplore.exe
PID 2516 wrote to memory of 1188	2516	explorer.exe	iexplore.exe
PID 1188 wrote to memory of 1304	1188	iexplore.exe	IEXPLORE.EXE
PID 1188 wrote to memory of 1304	1188	iexplore.exe	IEXPLORE.EXE
PID 1188 wrote to memory of 1304	1188	iexplore.exe	IEXPLORE.EXE
PID 1188 wrote to memory of 1304	1188	iexplore.exe	IEXPLORE.EXE
PID 2412 wrote to memory of 1652	2412	YTDSetup.exe	explorer.exe
PID 2412 wrote to memory of 1652	2412	YTDSetup.exe	explorer.exe
PID 2412 wrote to memory of 1652	2412	YTDSetup.exe	explorer.exe
PID 2412 wrote to memory of 1652	2412	YTDSetup.exe	explorer.exe
PID 2976 wrote to memory of 1904	2976	explorer.exe	ytd.exe
PID 2976 wrote to memory of 1904	2976	explorer.exe	ytd.exe
PID 2976 wrote to memory of 1904	2976	explorer.exe	ytd.exe
PID 2976 wrote to memory of 1904	2976	explorer.exe	ytd.exe
PID 1188 wrote to memory of 2436	1188	iexplore.exe	IEXPLORE.EXE
PID 1188 wrote to memory of 2436	1188	iexplore.exe	IEXPLORE.EXE
PID 1188 wrote to memory of 2436	1188	iexplore.exe	IEXPLORE.EXE
PID 1188 wrote to memory of 2436	1188	iexplore.exe	IEXPLORE.EXE
PID 1904 wrote to memory of 912	1904	ytd.exe	WerFault.exe
PID 1904 wrote to memory of 912	1904	ytd.exe	WerFault.exe
PID 1904 wrote to memory of 912	1904	ytd.exe	WerFault.exe
PID 1904 wrote to memory of 912	1904	ytd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe
"C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp" /SL5="$5014E,116245401,999936,C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" "http://www.ytddownloader.com/thankyou.html?isn=726E4E9A08134383846087603581901B&lang=1033&cid=bea3b60f7c56915a47cb6bcf8ab37087&oldVer=&newVer=5.9.18&kt=ytdd&pv=0"
      4⤵
      PID:2252
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" "C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"
      4⤵
      PID:1652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ytddownloader.com/thankyou.html?isn=726E4E9A08134383846087603581901B&lang=1033&cid=bea3b60f7c56915a47cb6bcf8ab37087&oldVer=&newVer=5.9.18&kt=ytdd&pv=0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1188 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1304
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1188 CREDAT:537606 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
  "C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 2404
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini

Filesize
14KB

MD5
5e4f61279b53016801d453b1d7a20cd3

SHA1
f32a34a88f7684264bfe4b1589cb7fd346add1b7

SHA256
546f50186b607153c9f121c751ac592b8905c29397bdd7a9c0bd860e467e6ee9

SHA512
1f9514359eada9224ed52815f02b17712d357e9806171acd1b0c88d6dceadac5692e5a131df4af62b8d15fce01759ffdcc3f075c374a33d43e10df8acc5268c6

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe

Filesize
336KB

MD5
2b4ec88beeaeebdfe0f996fbd53177ec

SHA1
8b60a69d5a72d456c496e4fb061182c5d46a9253

SHA256
410dea37700039f821acdb66d6be05350f37d143798cf39946ed5b4def709b95

SHA512
bd2c5d7f7e4b2ca7f38ff646fecdf46620557b269cae520a43d78fd040d06dc0ccab3eb068bed4621a4186c992850703b065881730f52fe1c29eba47cbea2529

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll

Filesize
111KB

MD5
ded3aa6b7920334e6b334eaed3db96c5

SHA1
43ddc57d22dce102a3687e548bd36e32fe20495e

SHA256
feed76629d5f9dbe7401a326994e80b003ca5fe1cf876029e4707a71bf4b5860

SHA512
aeec44f69d430a544594433a8e830af075cad27a7dfe83401ee82e51a949d1140e253ee49f786b944ddf98f513f3754eda6bf0311288eddf7ad1a73d8110de9c

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll

Filesize
2.2MB

MD5
3c07164ceba1068ee3eff672d8e11eb6

SHA1
c96d644ad20a788100609061c052220828784a09

SHA256
170a18f9d841606432b9157f243c43c7a2d53bf1fc028a147bd15f505749e69a

SHA512
af48e1d10f442789df7edaa89b7364f7670134af7f8c624b22073eadaf3516cf10aab196b411835afb839c0256314eb3d75fec37afe3f78f5e5fe123b3ffef4f

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll

Filesize
45KB

MD5
ab0a22194181d6d6ff01123dc9a376ce

SHA1
006355a4240c874443db242ec4d79b8f61e149be

SHA256
4d03b0edd616098fa390a41f8d68f6b77f4c96abf0bbf1578e310c1846017da1

SHA512
1db197bf8e99cd3e729a481a6f24fe1b090a12679a6ab5b6334e26a8442bd80d25379104c475fc9a70111b8c57ca048c4a3f40eb6e667814cce9ab1c86b6253e

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll

Filesize
45KB

MD5
91074f5c7288c67eaed2c2c657e373d3

SHA1
84aecb92336c668bd834a749081eaf1e476c38e4

SHA256
085dc559b88b1687b2918b8ee797734adfbbaa233ba7d8f0e8b5abea8740ca51

SHA512
579a27e5f3565efe46a47034f2880782c5a947b56e65118e8cbc58c886ec805ce39593becce5df4aeb851adc12fc22fd3db450c67b864a618dea05822c58a4a4

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll

Filesize
36KB

MD5
43f19a5d4d42e3cd6514348ba5fbdd96

SHA1
1f708f75fb1024be8b3f6e51ac465664f9414e29

SHA256
634e0e8bcecde4375f1f9510980bc2bf95495acfc8d0a14d15307c49829b4b2a

SHA512
bee50cdaeb50c888bd7df7ed789983a47ce6a50ab8bbba006519640530de8744f164628e741be8cd106cc229de1ca5f63ce23f41e94343869e8ba1aadd840f41

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll

Filesize
35KB

MD5
a3297b187aba1024501007bce77eeec4

SHA1
66b0d789f0fc6e465827bc372047ae1b57fb209c

SHA256
bf000179818fd3db857f7f46dca974698258fc11acf518fd77df4f5a9de05bbd

SHA512
8528aedc44bfb827fa2b5c9fe7c36152daa2e7c4cec32b8eabd8167dca4deadbe3dbd2b4723f00355a1f77cca1ff8c3275cc33c85454ef3e951a72bd1a6a407f

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll

Filesize
34KB

MD5
04a21f5ee0a9c27ca5e5dae050f3d275

SHA1
44835c934ec2a4e37a75023317798837e412e34f

SHA256
ef0fdefcf8af37c1ebaca95e79279907a389915d09e81da38fea9ff17afb1acc

SHA512
6fb0b523288c70f11cd1fae8bed774266956033352df6e9dea3f3881a9b971f0d13eddf9d6d124edccc4dc7ead9441749b091017b3f9ed2b33f887a1f8f660fa

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll

Filesize
36KB

MD5
d4f826e68b616cccc1de1e5ef07738b8

SHA1
e35d6657f4de4826d790c935f94ce41320d09b00

SHA256
1b64f39162f9918597019a89068edb9607caae194fd80b5367df08ed06ed5a78

SHA512
877df9980a3951d9f65983ddfac5df8026229e99618cd05b6c803e754074d760c5f4308cd54a1c7e7ba8f65ef684ea43eaa06ebebd4e1a38441ea9a63b47c956

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll

Filesize
9.5MB

MD5
4088b4e4ea76db97544c76ef7f2af08c

SHA1
c862b32ed75b8ad1c029edd2c0f492fcb689f8e6

SHA256
2d7aff56a160ac39f7b68b34eb1e25bbeee8fca6034fee8f278abd0fb3dbc0d8

SHA512
66f664a8fc270bc611cc1c247fbe9a2b26baa900b7b38a35ac2d232b6af694914667eb066139e1a889b33e226b845f74f615b48ef84eb626fcf3db137468087c

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll

Filesize
528KB

MD5
416108272cc56d4036d5796fbb1b8f3c

SHA1
66a7bb238eb0d4ba6543a0046df5324a8833cceb

SHA256
7bf969f40afb0ae30da950059a10868e1a20c0d64ed7da11fa5c9c7e0a123bc4

SHA512
682062f8d3b012242b3f679a16f1e4edf62f7918864488f49fcc8ee5b938989ec6828417c0f771ec2835e11688ce024dc84dbc859c70daac2fff87fab28019fa

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll

Filesize
78KB

MD5
350983ab596397b2d2703d658baeea8c

SHA1
63205b4238ba14871bc44c7b14b61c43ea509f19

SHA256
36f5f233c3c01c8ddbe330a760d28c0733fc512ba5097daba5c992742e0a6571

SHA512
b923e096a0f0460055d8f959ea496625e87a939b0c054fb2331508d8905a3c19ef7dd9a0d327144a70a1ded62cfb602c42637fa2be1de69b1a74f61101fb962e

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll

Filesize
36KB

MD5
6d9fa70a05698e9b6aa1c6074def16e8

SHA1
41b2e9aa0ed69a75a279cd3b57e5b4666e9ab991

SHA256
3ef1918ccb05373eb15f5298d083c1c0a8e171ed2ab321a6c2270f26c2185a5b

SHA512
a075bdba7c71664880549b6779d56fc5e354f1ed11eb1f50be68e4e6f81c7fc4b4ead6a7478e58c460f292aac02506d01d5c65a7b42cd4a65ef554b75a20eb01

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll

Filesize
39KB

MD5
3dee8d41db28133b3d00bfdf0fd16eaf

SHA1
55f447676e8d94df25285155f6974583613395ed

SHA256
d6af06ae76f1409b16d2e781217b863a7b32d5ca953795f52d5aa54b0491272c

SHA512
6b222b39601210957082e490073b2d15caa0ccb94121385f4372a02f916a04d4c1824b0f897c875fa1a756d81d511f4ffa649dae7cc900c3746817e1049a67ac

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll

Filesize
64KB

MD5
ccc67f588880568bfd46c4b8140f41aa

SHA1
5d37e43434dc31d55624bfd481c816bd2a285b6d

SHA256
8f42dafb5528c09248478913ba39b6381128c28eace727b488d639f36e614a7d

SHA512
5ac2ae619bb27a4c8cd2fdbed454d930cb5ed8ffa134ab6e9eb84c156650955b7eb1ab4542e5477f7aebad95194dd0dd751dfc508781d9820079d8189ef45092

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds

Filesize
220KB

MD5
d8ced7c2193354757988028fbdbf197e

SHA1
23e7c13471207cc7abd0267f11f9c814bece7011

SHA256
6b384b1e208a2260f54e3d003449c53c03acd8947c8762060fd9e9832dc3bd9c

SHA512
96db2348c6c8f00fb14321b3b816a1a59a60bc54f66002253d6ac43768c94aca5ec3435069e17a23426034bd583c350cdfbcb9daf4b258a8fd485bc96a34f908

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
174359536ce636e77097214500667510

SHA1
ba70cf9c7ba362e5c641febf3cd9fd0f02ce2c63

SHA256
17399790dac618abf69eae330e18196379c8629ac5861d7b6f15bde3e6592081

SHA512
38308d863204fa49ec8cb4b17c5394c68a85fe8c526a0bae793f1bab08d24ce264c9ea78da1925e2d70397ef5561bb1a5cdc47c8658d82152fdb499b347a2e8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
e299c2df44abc6a1f1573e7909b2d560

SHA1
1f53c9b70dd7cd7ef48b391d80808728d0f583b9

SHA256
e26134ea32535a0be3f17381bfd31ea5869136060a5a109a56b4da171723f70c

SHA512
072442798df8b45dc0e6b060b02e8aab90e1ccd09874b40087a5b12697afae53d2b329c0c46c24a6fe00f1c587974764c91dddf2cb94bf002fdba5b3f153c843

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
3349e84cbbd92ed821a789533cb83ed9

SHA1
e102b72dd82a264f8cef1ba46728caf1c6131fb3

SHA256
907a771c35db5663055274eb111814045a3c269decd725a57f5b1a5aadbdb4bb

SHA512
e91637992afe02d412b9b214593f850320fad8c08447ab5a71a18b338ffcb1c2856c7e6c5b67e25382fda22a6c47f7fec6d99754c7b529e71e5f7116b6d43bb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca2ed9fbe7833c8032d325cee66a1685

SHA1
d125ba70dcaef9d1b5ecd293591f796e0cc6e2de

SHA256
e9242f5c559debf079826cf54177ff4d1488c7b33f071aec6876f01b5fe11faa

SHA512
6bdc6433925d0d9348046ccfb4ffea14c55ddd3d8b512664559e27de908bc66420176a46d10f8019cf1268528962e53809620fe02d8372bc719a8fe8ace57dc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a19f24b91a8bd4db8ecf4df1139aa1fc

SHA1
38a7276754bd5d1e8ca586a03367787d5cbd052f

SHA256
aaa4bd1aadb367ea1c25dec5824132494dfff5a06198d64a2db24db8ff7a4305

SHA512
ab5259e6e0e6f8258cb53f769c599ba9c77da4d02bfd2e272068299f392d6f91c8157646102ff8d0d1a8d5e37926e799a958e2c5fa45e7ebfefc3d22cfad6bb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4b0809084d147e1a15cf1d27c2970ff

SHA1
cc58bd334b31ead08b4bd439437b15725e021684

SHA256
6ceda3cf5d11364eb64af3a80867202563e0733fec0560d0e02a35ebf78ae911

SHA512
61b951405b21f4e904829c8fdd2008490c98ac571563be5bc009af22b44d2a730aa9b97d31ba45162b6fd35f5036cdb7f4fbe40138d81fd9d22fe9c6f9b86a01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
038147d4cdfd4b8d8af3d6c69a59f54f

SHA1
d1a4fbbe468e12483c493e7f31222316b22404a9

SHA256
514ec6d559a4024986d48bec05965ed23efeb7f39b5d67ba56dc0c98562e1cb5

SHA512
0fa7b6a84410b7b3aebd46c8fe031ef3c0eeae2a0cbfc63818949468432f212a87638ca8c258d4ad50d157bdfea529e0e219ea29964884a3c1cf9c639207ab48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc7785fedacb72a0c9889b9845385bdb

SHA1
e96c18c942e2ea7a06894397aca1282cb3f9ec07

SHA256
0e28fc941080ec7e4bfda75df253d3cf3efa04e88ff2e4831a6d2d3cfc76c326

SHA512
fd802b925a0d0c9cacd8883542d22c6ae1971f7920a18a155a947b0eb6d0e65226aaf84dcead9e2035cf09562a6e179da7d8cb3d0319d6c0e233e29232c03f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5ff24c661882ba0f676dfc4ee3fdf7f

SHA1
6ee87578cfc7adb0484487dc0205dd16e0cc32d8

SHA256
75438b56c44e81e9c32b2addafae41f25e00c1abba84b9e7ec50caac7903fa52

SHA512
578b7d74c5af8cfd7fa9ab98b45964b7c553a77b33a6be3414141c86228595a24c01856a4bd02ecb9f12e8b1ccf9a6d03ffc2f3aab026027418cadf5c1c3bb20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
672a73c44f607dd3987ee52dbe8ebc36

SHA1
3d971538e577c5710e053db69c6cecd549b7e158

SHA256
71c7b9553823ce2e72966e424631e1a8670a4137a55e726644717dc3ac8fa058

SHA512
aba147c7c7e6ea51412851b7cf8468d876b08ebeb8cc5a6b64431c54233744021bd415248ee5f5134f1a64a233743520306a18825ce9fc03bf2a312dd5002208

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59edc3899da91263a060cd254a1e257a

SHA1
c8cd4e312e6dbdd75e8f0b8c1f48f9d5ac3d619c

SHA256
c903c1a6dabc60d908bba5c20b1d81fe27431c8c01cdccec3632965e64f53b7c

SHA512
30c8094ec325d9e848bd4d81fbf467b17604bb287f447f6c1d18a006cb7f3e0d7bb1f30fbd59f4b0eef308d39ff87511b2da6a8ff417eea87d957c74e53bf39f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e26c646b209cf60be4a7a24a28cb4254

SHA1
6ecdc92ddb4e3e708deaa51b28f8d891f612bb1c

SHA256
6a5664d648086cf591856c1811d8144f604e56ef97bdf24c75b5ed035e9aec88

SHA512
d77f149353cac4b28263fa02ee5b97a45c702777bcd89d14382a01254f3b541a1eb0b82fd59b7b50caad2abdddcec57af2cc8c7a9ffc6a580ce93498a42df3a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
702d280524639191b5886a8c17af647c

SHA1
9fbd69dc29a7b2d2f9e897a5d33db08c585db356

SHA256
14fac4de843aff5251788ae7663e09e49b7b8c72e978fe26c31eb378b05d4f8b

SHA512
dcbe3173a6a29663fac00ae45cfbb76dd353b80686b7d5502d420b17ce7172a8c7723113ecc0bb4cf77d7efb8b531376440fe69a722ab8898eef9722fc9c2684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dfab9f39983301be906486249374452

SHA1
1a8dbd165d8a9bc448b55d0b937087f5b60cda17

SHA256
ce58b28d7d93d6af5b1ad6efdf149f71578bada04c4e81402f3c40e74f9fb288

SHA512
118827ae41e45b2c75a7c75d0b6a7dbdd85a583e0c809fd31aa64c63a7f44ff1b830d3fd148f2b6193db074ce915231720e81fabe86f8d84916c6a9918c551b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04e542987b61a2093b2bf7ec220f8dfc

SHA1
67caf9f64679ad3e05be605b77b2a1eca0bde9d5

SHA256
89fe7f99d2a98acf86344ba6663e6c237c4969fda210be89733b594d4798f951

SHA512
3452d4decb6a9b175a31fe27db895170e72fe2ed943220c9c6a2ca814fe357c522969646df0d27ccfe29d0d3673747e9ea178ff6f0e130f64ccd2c6cab2f088e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
083165366adc1e40f6da16f5646fb650

SHA1
ec6222bba9830abcd9bb54a9954c3ea75d4b29b1

SHA256
3ffd84e58322292bcd1ccded425e676b1a8bc0a5201567c2438aeade3cb9289f

SHA512
cb4a9189d64b7f2b276a2db0b2016665b6a680fbe7be4aaab76d8282bd301e6415408f238c2af0d7fc78a40d6c358509e53b387ed4031fc2f3826f358fbe654e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
633cc74ad08fac5b5d906cdd8079e5f2

SHA1
b0b7b3b197ea0310a8d3c24ffd256366c5883408

SHA256
ae50a3439f0dfd284a7b27f5c69318daf54e59e183dc28a695c0391fa782f58a

SHA512
735dbc4b9ec888ee6b5754db9082fea7a478eede339bea1920c77e5f8436162948e78d8c70c7a101496709434b308db6e2a7c7feeadaf610f82112b636eaad25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e434efa0c8909c949ad52044c28ac342

SHA1
edbc8487c33d8d5fa26c72922f28615ba0f80b63

SHA256
6ee6ca2221257d9497afbc293bd122c42e3a0fa3b740045f0c4ad836abf9309d

SHA512
ebf13d459379bb6f9387344e0d30265efa46d034137dcd1680e625851403ac17d1298f94e9ebc7faa2458ccabd37523bf3b4cf152539d175fc04b5d6c9fe29b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e78fe126574c70482e1565f4620f6b5

SHA1
1cf4133e2d8332b3d9c8ca31dad3f26ced8b1d0a

SHA256
aa2cbd494b9772431bcb93d50baab99d0fbe6cf1d09162491df5c1f247da8e35

SHA512
01f82f552a9f8f35fc53cc0931f00d83540fa990afe43bc434aec6873d3fe24e9ac5d16505f439b3cbf1f37c0eb1c8b0e20b31cf79158caf177decaa32f818c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d21d982902a4c301beb28393066348a6

SHA1
a904efdb806630fd9fe974e27fa689b5de4df62c

SHA256
228807ada6e6c08e42f6ed38b5576ac6e07b89b0649980bca7f13d2aa0b761b3

SHA512
59a0b0e9e59dcfd0fdf1f5a5d206a198c43d729988dfabe0523ddd0bf50ae6f58c1d3c6b70ef3006d30d8f281d6800c32780ca4179ff52a2b22f3b54ceeeb154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8775ad2c9d54368dbba3fd6ef90871af

SHA1
21952b663343053969a9bc6c04ef4b5938d2fba2

SHA256
82b2b856b037bef0aa3f4b0b6c312caab7e5d37f1eb4e312548cc7cbc1b82fb3

SHA512
1d06858fd41bfa98430f41f5bb4340e2c3491e13a49a7f5111693ad2c6dbc7edecad019e39e589422ecd3fa827c664a14c8abe7f8709c405742e0f63e79840e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93fe43789ee91cc07623d643fad97255

SHA1
b140ff26d1cc28ad99c0f8ec5a399daf81d36abe

SHA256
01b4dbda548d54378035a0f7899ded2e4ce1ab7585c89635f4a88deb36a9cbb0

SHA512
ba8c6c46e14c496778f7b60c65ce9350b244a2413a6b69acb31ddfa764456ec3dbe78efe8161d02317b102de02fd56383055f84ebffd4d9ba1b12b0226fac848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6def2c074cb45dfa167b8bd4dcc53ab2

SHA1
a2b3469ba89814ee0d3581374e28bc3e7b8b53b5

SHA256
8c4236349f96494ecf39e2be7717a7aeead2f2222d9967365b96444f99e87cd6

SHA512
d1c645e724023ef5457cccc77c02c5b3b27d33f917174a140cddad913880520bc435e50d05d4962e190e1c59eeade1f6e14c156703bc4009a370206e106afd1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70bd75a678d49ac339baf9b941715ca8

SHA1
bca1b72a1f10d49686664d54f264ffa89b59a785

SHA256
1eaeee7262520db84facca35f46579834158700eede61a3296524095ecbc8457

SHA512
60efdd707a46e26c758fbb793999338258402239724d3824cb26b959414a645e261bb0473e01c1b75d60eb40a196600d645a97053767401e14a3648cfca0a4c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80d08b8b97355ee9f1698ff439650e5a

SHA1
71f2d482f76254c35f36e11a5361e26fc5f9fefb

SHA256
ca9d5a313b781f7b95c20a514d6f5ab288a76a9c55d5fbb8f4ae8cd3ae43fd94

SHA512
5d9f1620aa7794c645af57626e9efd850a2b70a0b93ad58d46bc7fbb9870d64f6044ecf8a8d46ef8ea181cdc77fc40fe64e9d9b6b65cc0dbd41530445d1cb30e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65abfa06bec4f6189f410f3875fd4716

SHA1
657b0a5de821a41d6275e1ae633e10507ca4c264

SHA256
0b4da9e271116ffd7cf18df15a937f9f25b40617c2f7ef1dbc5fe8a4493fa9ff

SHA512
385f1a46ca806599e8236dbb5e1bace568ad609c92fbb0adf4d8c1ca05ce2f74d38f5035ce3b252783d87151ce1034bf8147a14a9fa46d0cbf3e5d586d2b5bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5517b3beb2088c231cb670a0b8cce841

SHA1
80b007fca03d1e6cea58c409f43cf2786492d41e

SHA256
af269c771b3f6c66bed563bdacce4b5d158d814e3a841a5dc61eceb8ba7c906d

SHA512
0ae052eade90403b8c5ae268f5eb43b599fdebf23aa4d9939e6b0c02548e472fa8a4e329b8e20bb266af00890a2b12966d0af9b46088192555697bb64e37298e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a4e94e84d2de96ad02f5babd97edb43

SHA1
d1e8883ef35a9ccbdd330d69579ce310569d3dca

SHA256
2332dc28c1863b5354d688961c7b205f085a47815b690affb6d337260fc0c8de

SHA512
d2bd9ee0a1ebb707b610c17eba033be4a2434b21d93be1f2f08b367aba4566f73fe9d6d4dd6e30f72ccf5811b488405ac0ba34320e87b94fea62168a70981614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
effdb9892bf5d5d551ca0266d8ff2934

SHA1
eeb3c21e3a66a9c9a7beba2b4ad41c7e905ac82e

SHA256
161cf8d4249c801e90d15a99000332c02904455fe3dc37404f47bb04fda7d625

SHA512
f261bc903e53279e34a93aa1ef70a0391fffed2e54a080a6f677035800775137b3d14b93ecdb4d5df431c2f9e1f3d4d185585a06ac346abc32679f3af63f1546

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d546151dd2b186778546400971bb5bd

SHA1
71e949fc47cddf1e48e9e61c7cc9e7d21da3daef

SHA256
b7bdc7bbd739a86d03930b0b804e6c19488beb76ebc2eb709845f53cf6bd8647

SHA512
7c82f126a6c617687048b9ddb7b87278b78f2fc5bdc2ec29e4daf2a793a52abe66da01ff36af2a51e33a078c2b6c5574e7d47e616907fdbc71b15f00a7ee1a9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1049f690a1350f6e900a1a5dfe191e1c

SHA1
f819cc2d36e042b48464df53b5bcfa98b75ef479

SHA256
377daa1bcf14003fc59a1ace01698034e98ba67b88909c269acb07fee7227dcc

SHA512
157329dc55a0889377e86876977c71e071170c1660d1f0d4009d28166043ad84ba9f16399625c6b4711f34d84ee80de3469539f9a777d04d40c6093a2e702102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d35a992fe874f9e19722f99fb9cc242

SHA1
eeac0d259628945168234158bd86386a6aef7b5a

SHA256
e9d530f1c5bf0fdd44292608f95f46c510bc3076ab680ac31adf78c0ec211887

SHA512
0e34325b7fd61f33e051f7fcd5c2eed0a1c4025a46f808ab84164f4253855d871ed78826a17337d99e0c4d0b19c88bca11e16c0ba970eade02aa52732c866287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66d1f41f709f824c785461c83bb001d5

SHA1
9cea7f8a328fe11c44390cf3ed3b4d7bd4c96078

SHA256
173b87f1e31596e8af12e976909089686425bba0a7a67bd13d02e3a3a81277ac

SHA512
797fe6300dc84102636b10524238523fc55dc5e31c0c681c422961f521e96616566dd8a78a0c84ce264e861ffcb86a6494ad560bfd3d430bdfb4ddb94a1f3f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
088ec200c6b990ff2e47021f40fc6407

SHA1
8ac6b8c18158d5cf74db6382b989bc5c7117064d

SHA256
34f2a79579c52ad2cb7c29098851a486c451b0a9583145a18083ac9a3c60e14e

SHA512
858995a946f6c9f120d0dbb671f4f4dac16a5a116246a0202df13e9519fb4ffb7dc28c907a7e37b768e8fba866538416c21d316aaf608851f26a8dafdc89aa89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
79b64cad1f14065bb9f8256038fe56f1

SHA1
ffa42c768c8cc6b6e5aa9b3ed75049a5926d2902

SHA256
3d1aa903d9e37d10b344207b85d05b0ce4a49e0cb97d6a809c6aa1cb2af50f0f

SHA512
b24de79a036be8c8a413620d27dac559e8dbc7cd25df6bd6eae6b27cf165a93dc6425830863f8d9059d66cc7c90f8cc8abb4c75f15bd47518654d0d3e92e3560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d8b973f5f6f30aeed55ce75e8da739ba

SHA1
2b9bc19e2812ef3f955b23f1a86d2b4b8d10f9ec

SHA256
740fdaea6e73edf61251e13deffaa5eed5f30818e6873085eb0b6a3fa63ea707

SHA512
db43111015e045363c3f6863dfdffa489caea8de282757466af85196e4cb965da93aa6d46a63bd4d499f870a8fdf0b85cbc1f563129107ad266939084b3ba1be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TVC4TVTK\www.google[1].xml

Filesize
536B

MD5
c54e105b286e6c004880eb2d05915472

SHA1
5975339866bc939b5002490a2a4555a95de56b8b

SHA256
5e2c575fcdc9fabf06695e416471c60003a37c7e11ed9acc3aa6f8aa59d19aa1

SHA512
14fb657a9b350e6648f2ad2a3bdf314332a06911c21350a6b66fe73c085f0e3c07edb452b1378e39c6a88b16f355c334a5dc6dba2bc5f8a111820c18e718681b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TVC4TVTK\www.google[1].xml

Filesize
95B

MD5
7a8719fb43f3eca706375b4d35ad5393

SHA1
a51d4ce8a7889c32f91f5aa227a37e1b003e30b3

SHA256
6f0c607ba2f61466849afa1816b278b3cf7223e71abb564811c5da9ae923ebd4

SHA512
bc8f036a0d1938bd9ae05c5c64ac76c075b5a91544776578670a1f4d0d4502c7d63b62254a7880d480be9e34980ceaf9f914894c93be68eb272c28e0e0027eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\favicon[1].ico

Filesize
21KB

MD5
b71d2d64c174e580bbf5fab2bdd8f5bc

SHA1
032fc9ffbdd4b8e2cf0490f0b78e3f41eb979084

SHA256
609e7c323da93b1f5f56ea594792c4bdbe55bc5efec0c074cc0f71b706452bd9

SHA512
8722a98063d56891cc00093d4d3d5084f5c9a6b300d3f0a133d881de7a01d896efa3e002cd54f1c4d02d443c013f3e6638e19eadeae24f933a47b835cec3b344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\ga[2].js

Filesize
45KB

MD5
e9372f0ebbcf71f851e3d321ef2a8e5a

SHA1
2c7d19d1af7d97085c977d1b69dcb8b84483d87c

SHA256
1259ea99bd76596239bfd3102c679eb0a5052578dc526b0452f4d42f8bcdd45f

SHA512
c3a1c74ac968fc2fa366d9c25442162773db9af1289adfb165fc71e7750a7e62bd22f424f241730f3c2427afff8a540c214b3b97219a360a231d4875e6ddee6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\recaptcha__en[1].js

Filesize
538KB

MD5
33aff52b82a1df246136e75500d93220

SHA1
4675754451af81f996eab925923c31ef5115a9f4

SHA256
b5e8ec5d4dcc080657deb2d004f65d974bf4ec9e9aa5d621e10749182fff8731

SHA512
2e1baae95052737bdb3613a6165589643516a1f4811d19c2f037d426265aa5adf3c70334c1106b1b0eef779244389f0d7c8c52b4cd55fce9bab2e4fcb0642720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\nqindL10x-xAPrwNrAa_2xXCVxcRZYSWuE-W4fSi8Ko[1].js

Filesize
25KB

MD5
d99939496f22d283c093dc7989278200

SHA1
5f637e9351b678dee8473c56b464c8184dce59b4

SHA256
9ea8a774bd74c7ec403ebc0dac06bfdb15c2571711658496b84f96e1f4a2f0aa

SHA512
5bbcb7d40ab59d5f12d16a523c3f713f82d702dd61b4cbd485f80052317943857a03ee8071618a42d498733ae7c59ce9f5044540acbde7d5fdd2e12af0a4cfd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\spacer[1].htm

Filesize
134B

MD5
4aa7a432bb447f094408f1bd6229c605

SHA1
1965c4952cc8c082a6307ed67061a57aab6632fa

SHA256
34ccdc351dc93dbf30a8630521968421091e3ed19c31a16e32c2eabb55c6a73a

SHA512
497ba6d8ec6bf2267fe6133a432f0e9ab12b982c06bb23e3de6e5a94d036509d2556ba822e3989d8cd7e240d9bae8096fc5be8a948e3e29fe29cab1fea1fe31c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\styles__ltr[1].css

Filesize
76KB

MD5
0ca290f7801b0434cfe66a0f300a324c

SHA1
0891b431e5f2671a211ddd8f03acf1d07792f076

SHA256
0c613dc5f9e10dff735c7a102433381c97b89c4a26ce26c78d9ffad1adddc528

SHA512
af70c75f30b08d731042c45091681b55e398ea6e6d96189bc9935ce25584a57240c678ff44c0c0428f93bf1f6a504e0558bc63f233d66d1b9a5b477ba1ef1533

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1DFE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E30.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\NSISHelper.dll

Filesize
401KB

MD5
373c6ac98ae82cf341394215d28b5830

SHA1
2e3542372f1e520cdd47d30035dda85fdd2b11f9

SHA256
5cfd1ab1740c4a68cae314157468423dcd7b0ffe873b91257e10fa28169a7d18

SHA512
6d0a31a6c5c4b965633f943eaa15d3495be072f035d97deac27690d6a6a6890a8f817b406153fbba5a8862675b4f3015ac9e93fc8b6d90b1c4b029857123a117

Download Submit
\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll

Filesize
46KB

MD5
46672363f47a25d69a5324045f4e8d63

SHA1
f0d65ad9301f953f7b604087d27ce3e600891250

SHA256
0a2f80092b426f11dbf54b10542d3d7b45d2e40fc575e8e0e73cdcca47b4885d

SHA512
24b52206390b04cb909a1da12b46294f2aa848a42c27a6d765e6666ffbf86f64bac929e9210723d5c537a11d015d2f556e39821d01310a328cf41c988a25146b

Download Submit
\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

Filesize
1.9MB

MD5
b1934b07dd28fe1ba94df3861128402b

SHA1
c5d918e696059437dacffa8c3359ee31e97e6e06

SHA256
2670c0406f42be2455f3a20e3ae8b024a41c46b956df9214cb63ca1efa18b17e

SHA512
e863702d96a1a8371403933d9a0e082498d15a39fcf0bedb981913981f8cd9dab64e54202c4a7f2b4c6e4407fd3a7bdb9b0a96340b258476cf59057e80cbbc7f

Download Submit
\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp

Filesize
3.1MB

MD5
34fb289e9fee64cd7d4b588f0af35a87

SHA1
749822f7891caaca3fcda698a1f3a88afa76b26c

SHA256
61fbf0a6084bd7bab3ed214f1c372a569af302ee353e59ddb4f9f65436bf9b55

SHA512
9bc594e241747faadb3295792eff37c76a6f4ff1a0f0c91e63fd45905da15239a1aed8bba55006f32310633609fa43132616cbea30b3a104843f2b553b58adaa

Download Submit
\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe

Filesize
9.9MB

MD5
37c8ee1cae9779ec094be29a35a5061d

SHA1
ae99157bda438ad024e38dd91a975246b00dd557

SHA256
0ac4b34f2a8f9c004f6c942ce112a0ab87bb1c2b17a7dd745519eb414ebdae35

SHA512
e725a2ec6f3550e8de89b200f4bb79f808f14d6da04d4a80629ecb1b428ba0c74a0468e7b7bb53d89744bbba19066f4799e3a84951d21215ce0b72edf0798728

Download Submit
\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\UserInfo.dll

Filesize
4KB

MD5
9eb662f3b5fbda28bffe020e0ab40519

SHA1
0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41

SHA256
9aa388c7de8e96885adcb4325af871b470ac50edb60d4b0d876ad43f5332ffd1

SHA512
6c36f7b45efe792c21d8a87d03e63a4b641169fad6d014db1e7d15badd0e283144d746d888232d6123b551612173b2bb42bf05f16e3129b625f5ddba4134b5b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\nsisdl.dll

Filesize
15KB

MD5
ba2cc9634ebed71cea697a31144af802

SHA1
8221c522b24f4808f66a476381db3e6455eab5c3

SHA256
9a3c2fe5490c34f73f1a05899ef60cfef05e0c9599cd704e524ef7a46ead67ba

SHA512
dcc74bcedd9402f7ac7e2d1872fe0e2876ae93cf8bbd869d5b9b7b56cea244ba8d2891fa2b51382092b86480337936f5ec495d9005d47fbfd9e2b71cb7f6ba8f

Download Submit
memory/1904-1682-0x0000000074820000-0x0000000074834000-memory.dmp

Filesize
80KB

Download
memory/1904-1680-0x0000000071CA0000-0x0000000071EE5000-memory.dmp

Filesize
2.3MB

Download
memory/1904-1679-0x0000000074EA0000-0x0000000074EC4000-memory.dmp

Filesize
144KB

Download
memory/2072-8-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/2072-152-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/2416-0-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2416-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2416-154-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download